OpenSea launches new contract-clearing system to protect against recent bug
On Thursday evening, blockchain platform OpenSea launched a new system that will help users clear out unclaimed sale offers, set to roll out over the next two weeks. In an announcement post, CEO Devin Finzer described the changes as made to “ensure old, inactive listings expire.”
The move comes after a bug that allowed attackers to exploit old contracts to buy tokens for hundreds of thousands of dollars below market price. In one particularly attention-getting case in January, a Bored Ape Yacht Club token was purchased for less than $2,000 and resold immediately for over $192,000.
The bug was a result of how OpenSea’s platform interacts with the Ethereum blockchain, often saving gas fees by listing offers locally rather than coding them into the broader chain. An oversight in that system allowed old contracts to sometimes linger on the blockchain without appearing in the OpenSea interface. By making offers against those contracts, which were often years old, attackers could take advantage of badly out-of-date prices — usually taking token-owners by surprise.
As described by OpenSea, the new system will enable users to cancel all unfilled contracts while incurring only minimal gas fees. A separate change looks to make signatures clearer, hopefully preventing users from mistaking contract terms in the future. The new system is expected to take 15 days to fully roll out, at which point users will be invited to switch their accounts onto the new system.
The largest platform for trading and bidding on NFTs, OpenSea has been immensely successful over the course of the recent boom. At the same time, the company has struggled to secure and moderate the influx of new activity on the marketplace. A recent Chainalysis report found a small but growing amount of money-laundering activity in NFT marketplaces, although the problem is not specific to OpenSea.