Newsletter #40

securing your NFTs

Jan 28, 2022

First of all, don’t panic: this loophole only happens under very specific conditions.

Here are the steps necessary to trigger it:

You list an NFT for sale on OpenSea
You transfer the NFT to a different wallet
OpenSea will then cancel the order on its user interface, but it won’t cancel it on the blockchain
You transfer the NFT back to the original wallet
The item is not listed for sale on the OpenSea website, but it is still for sale according the the blockchain.
Someone buys the NFT for the price you set at Step 1

One of the fundamental concepts of blockchain technologies is that changing the blockchain requires payment. This is known as “gas” on the Ethereum blockchain. So because no one paid the gas to cancel the order created on the blockchain in step 1, the open order lurked there for someone to find.

In this case, the exploiter did not find the miss-priced NFTs accidentally. They built a script and automated the process.

What can you do to protect yourself from this exploit?

We have some good news and some bad news.

Let’s do the bad news first: protecting yourself from this exploit is not as easy as canceling your past “for sale” listings. That’s because enterprising bots are now scouring the blockchain and front-running cancelation orders.

If you try to cancel then you’ll be alerting the bot who just might snipe it.

The good news is there is still a fix:

Find out the NFTs you have listed for sale on OpenSea by viewing your profile on Lazy.com or using OpenSea’s new listings dashboard.

Transfer the NFT to a new wallet.
Cancel the “for sale” listing on the original wallet.

The moral of the story is that the blockchain always remembers.

We ❤️ Feedback

We would love to hear from you as we continue to build out new features for Lazy! Love the site? Have an idea on how we can improve it? Drop us a line at info@lazy.com

Lazy.com’s Newsletter

Discussion about this post