Opensea Exploited! - How you can be save

As many of you are aware, there's been a scam/exploit/bug going around which has been allowing people to purchase NFTs at lower-than-floor prices.


If you have any listings and wish to remove them, first go to and enter your ethereum address. Then head to the "ERC-1155" tab and check to see if any token is listed. If it is, and you don't intend to have any tokens listed for sale, click "revoke". It'll be a small gas cost, and it'll mean you'll have to pay gas the next time you go to list -- but if you have no intention of selling any time soon, it's the safest way to ensure that you have no "hanging" listings. Once you've revoked this permission, you can go to OpenSea and cancel any existing listings without fear that someone will 'front run' you. Read on for more details.

The Problem

Bad actors have been purchasing blue-chip NFTs well under the OpenSea floor price by exploiting an issue with the way how the Opensea Exchange works.

How does Opensea work?

When you submit a sell order on Opensea, your order is stored off chain. When someone goes to buy your NFT, OpenSea´s website gives them a copy of your sell order, which the buyer submits to the blockchain. The blockchain uses cryptography to validate that the order was created by you. Unless your order has an expiration date, it can be executed for as long as you hold the NFT in the wallet that signed the order.

If you transfer an NFT out of your wallet, your order remains theoretically valid, however it can’t be executed since the signing wallet no longer owns the NFT. After a transfer (including but not limited to a sale), OpenSea will remove the sell order from your NFTs profile page. However, if you ever transfer the NFT back (including by buying the same NFT again), the order once again becomes valid if the expiration date has not passed. Unfortunately, OpenSea used to have a default of no expiration date, which then switched to six months, and more recently to one month as a default.

How does the exploit work?

Although OpenSea and other sites don’t show these sell orders, the bad actors have been able to get their hands on the cryptographically signed sell orders and submitted them to the blockchain, where they remain valid so long as the ownership and others conditions (e.g. expiration date is not passed) are met.

It is important to understand that since OpenSea is a decentralized exchange protocol, they cannot cancel these orders, only the signer of the sell order (you) can do so.

How do I protect myself?

First, you should check whether you have any inactive listings on your NFTs that are below the price you would be comfortable selling at. You can do this by logging into your OpenSea Profile and finding the new “Listings” drop down that was added this week. Select the inactive tab and you will see them. Do not cancel any order until you read the full article.

Note that, although OpenSea has advised that this page will show all your inactive orders, we don’t know if that is true or if there could be other, unknown orders lurking somewhere.

After confirming whether you have any inactive listings, we recommend revoking approvals from OpenSea being allowed to spend your NFT. I suggest using This step is necessary because a second exploit has come to our attention: bad actors are able to intercept “order cancellation” transactions and resubmit them to the blockchain as purchase order faster than the cancellation transaction processes.

Once you have revoked approvals, you can go ahead and cancel all your orders. Later, if you ever want to sell, you can grant approvals to OpenSea once more.

An alternative and safer approach would be to create an entirely new wallet to transfer your NFTs to. If you do this, you should never transfer your NFTs back to the source wallets, or the orders could once again become executable and you could lose your NFT.

I appreciate that all of this safety measures will cost some money in the form of gas fees and only make these suggestions out of an interest to protect the broader community.

Back to blog