It seems like you can’t click on a newsfeed these days and not see a story about a heist, hack, or scam somehow linked to the largest online marketplace for non-fungible tokens (NFTs) in the world – Opensea. The latest news involves a Texas man who’s reported to have unknowingly “sold” one of the rarest NFTs on the market from the wildly popular and expensive Bored Ape Yacht Club collection.
The accidental sale was made for 0.01 ETH—the equivalent of around $26—and the Texan claims it occurred due to a vulnerability in the OpenSea software coding, which Opensea management and programmers knew about, that allowed deep discount sales to occur without the knowledge or consent of the asset owners.
In the complaint filed in Texas federal court, Timothy McKimmy is seeking more than $1 million in damages for alleged negligence and breach of contract committed by Opensea. He asserts that he is the original and current owner of Bored Ape #3475—one of a set of 10,000 ultra pricey primate NFTs. McKimmy alleges in his claim that the digital asset was stolen from him because he never put it up for sale.
Rather a sneaky seller snaked it from a prior listing of the asset that McKimmy failed to close. Even though the listing was not “active” it was still open – allowing the buyer to snatch the NFT for less than the equivalent of $30 and then quickly “flipped” for 99 Ethereum, which was worth approximately $250 thousand.
“Instead of shutting down its platform to address and rectify these security issues, Defendant continued to operate. Defendant risked the security of its users’ NFTs and digital vaults to continue collecting 2.5% of every transaction uninterrupted,” the complaint states.
Plaintiff McKimmy further alleges that he has tried on numerous occasions to try and resolve the situation directly with Opensea, but has instead received platitudes regarding a vague “ongoing investigation” but the company has failed to take any direct action.
This is the first lawsuit filed against OpenSea related to this particular vulnerability. The company tried to resolve the issue in January by paying approximately $1.8 million in relief refunds to dozens of users affected by the exploit. Opensea has not made any public statements on the pending litigation.