Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

OpenSea is a decentralized application for selling NFTs. Items can be listed on the application for a specific price, removed or sold from this.

On OpenSea, NFT sellers need to de-list their item fully in order for it to be completely removed from the list of sellable items. OpenSea offers a transfer feature to move the NFT from a main wallet to a secondary one.

There is the problem with this functionality though: the frontend for the website de-listed the NFT but the blockchain never did. The desync between the frontend view and the backend created problems.

In particular, the many of the listed NFTs that appreciated in value since their original listing. So, the attacker exploited this vulnerability to buy the NFTs at their original value for way less money. Damn, that's a real clever attack!

To get away with this, the attacker put their money into a mixer, making it untracable. From a single transaction of a Bored Ape NFT, they made off with 200K in ETH.