Updated with information from an OpenSea spokesperson:

A bug discovered on the OpenSea nonfungible token marketplace has been discovered and is being exploited by hackers to purchase NFTs at steeply discounted prices and then flip them.

According to cryptocurrency analytics firm Elliptic, hackers have stolen more than $1 million worth of NFTs in this manner since this morning. The company identified at least three attackers who have exploited at least eight NFTs, including Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz.

NFTs are a type of blockchain-based cryptoasset that provides cryptographic proof of ownership of a type of digital asset. Digital artwork includes those from Bored Ape Yacht Club, made of up large collections of cartoon apes that are then used as profile images and as access to a chat community.

The bug, which was discovered at the end of December, involves allowing some users to move their NFTs off the marketplace and avoid delisting fees. However, the listing would stay available on the application programming interface backend for OpenSea and Rarible, another NFT marketplace. This bug was originally noted by cap10bad, the founder of the freshdrops.io NFT project.

The exploit was explained by Rotem Yakir, a developer at the decentralized finance company Orbs.com, in a Twitter thread. Yakir said people who relisted their NFTs without canceling them and went on to sell them at a higher price could have them bought at a lower price.

Elliptic discovered that as of today one attacker paid a total of $133,000 for seven NFTs by exploiting the bug before quickly selling them for $934,000.

According to the company, although the issue was discovered and revealed weeks ago, it had not seen noteworthy exploitation until today.

Earlier today, security researcher Tal Be’ery confirmed research from Elliptic and Yakir when he showed data from the Ethereum blockchain revealing that Bored Ape Yacht Club #8274 was bought at its July price of $50,500 (22.9 ETH) and sold again for around $296,000 (130 ETH).

An OpenSea spokesperson told SiliconANGLE that this is “not an exploit or a bug,” however, and is instead “an issue that arises from the nature of the blockchain.”

“Since this issue was identified, we’ve taken it incredibly seriously and worked to ship product solutions for the community,” the spokesperson said. “OpenSea cannot cancel listings on behalf of users. Instead, users must cancel their own listings. In addition, we have been actively reaching out to and reimbursing affected users.”

OpenSea explained that the issue was not broadly communicated weeks ago when it was first revealed because it did not want to bring attention to bad actors. Instead, it has been shipping a cancellation dashboard and mitigation efforts that would lower default listing durations from six months to one month. The company also intends to ship more mitigation features in the next two days, including warnings about active listings for any NFT transferred back to a wallet and an email for users with one registered.

The exchange does warn on its support website about selling NFTs that transferring a listing does not automatically cancel it.

“You should always cancel a listing of an NFT before transferring it to a new wallet. This ensures the listing is not fulfillable through OpenSea,” the help article for new users reads.

Yakir said the solution for protecting against this particular bug, for those individuals who have moved their NFTs without canceling them, is to move their NFTs immediately to a new wallet, which would not have any previous listings connected to it. Doing so would prevent any NFTs from being captured and sold via the exploit.

Image: OpenSea