SNEAK PEEK
- Hackers exploited OpenSea’s stolen Ape policy to sell to Franklin’s collection offer.
- This was executed with a Match Advanced Order function to Mint and sell.
- Hackers bypass OpenSea’s security policy, but there needs to be a buyer to bid for the offer.
Franklin, the 6th largest BAYC holder, revealed via his official Twitter account that someone had exploited OpenSea’s stolen Ape policy to sell to his collection offer after it was already marked as under review for suspicious activity.
It happened again – second time in a week someone has exploited OpenSea’s stolen ape policy to sell to my collection offer after it was already marked as “under review for suspicious activity” (yellow mark). They used a “Match Advanced Order” function to “Mint” and sell to me. pic.twitter.com/21hijgtUse
— Franklin (@franklinisbored) January 22, 2023
As revealed, the hackers utilized the “Match Advanced Order” function to Mint and sold it to Franklin. This came following Franklin’s tweet on January 20, notifying OpenSea to get their stolen Ape policy fixed. He addressed that an ape with a yellow caution mark was sold to his OpenSea WETH offer for 65 WETH.
For this, OpenSea collected 1.625 ETH in fees, and Franklin was not able to resell this Ape. He mentioned the fact that the Ape was marked even before the sale happened.
Cos, the Founder of SlowMist and the Creator of DarkHandBook.io and ZoomEye.org, shared a tweet that addressed the fact that the hackers can use the “match advanced orders” function of the OpenSea Seaport protocol in order to complete the sale of the NFT that has been blocked by the OpenSea mark.
被 OpenSea 标记拉黑的 NFT,黑客可以通过 OpenSea Seaport 协议的 matchAdvancedOrders 函数完成售卖。这样就绕过了 OpenSea 的安全策略(拉黑不可售卖),不过这里需要有买家 bid 了 offer。
— Cos(余弦)😶🌫️ (@evilcos) January 23, 2023
黑客真聪明… https://t.co/sSRNocsre2
This further bypasses the security policy of OpenSea, but a buyer is still required in order to bid on the offer.