OpenSea has a security and fraud problem and if one account holder on the NFT marketplace is right, it is negligent in protecting its customers and guilty of extortion.
As prominent NFT creator, collector and venture capitalist Kevin Rose would no doubt attest, theft in the NFT space is a serious problem. He lost a part of his personal collection valued at $1.1 million in a recent phishing attack, although that was nothing to do with OpenSea.
Robert Acres, as we detail below, also fell victim to an NFT phishing attack. Not as high-profile a user of OpenSea as Rose, Acres had two NFTs stolen in a phishing attack.
He alleges that far from promptly trying to help him retrieve his property and prevent resale by the thieves, as OpenSea is reported to have done with Rose, the leading NFT marketplace ended up locking Acres out of his account for three months.
During that time Acres alleges he suffered large losses on the 58 NFTs in his account because he was unable to trade them.
The two now blacklisted stolen NFTs can be seen listed on OpenSea, with a warning that the items cannot be bought or sold due to suspicious activity:
https://opensea.io/assets/ethereum/0xd2f668a8461d6761115daf8aeb3cdf5f40c532c6/2299
https://opensea.io/assets/ethereum/0x4db1f25d3d98600140dfc18deb7515be5bd293af/5297
Acres’s stolen NFTs were sold by the thief for 0.5 and 0.7 WETH.
However, Acres estimates his loss resulting from not being able to trade his remaining NFTs on OpenSea at as much as $500,000 and is suing the NFT marketplace – OpenSea is a trading name of Ozone Networks Inc – to make good those losses.
He has hired the services of Traverse Legal, with managing partner and trial attorney specializing in blockchain and web3, Enrico Schaefer, heading up the team.
Image caption: one of the stolen NFTs: https://opensea.io/assets/ethereum/0xd2f668a8461d6761115daf8aeb3cdf5f40c532c6/2299
OpenSea user says he was locked out of his account after complaining
Acres alleges that when he complained about the slow response by OpenSea to the theft, it was then that the marketplace locked him out of his account.
According to the timestamped support communications with OpenSea seen by Cryptonews, dated July 12th 2021, the day the theft took place, Acres informed OpenSea of the theft prior to the sale of the stolen NFTs on the marketplace.
The transaction hash of the theft is shown on etherscan and timestamped at 01:38 PM UTC: https://etherscan.io/tx/0xa6bc538181d79b342cd69042eac74b9a64a1aeb99ed05d98d3f5c09a6f7bf59d
The sale took place one hour later at 02:38 PM UTC: https://etherscan.io/tx/0xd2327c65e66d0ac94282580f0a8d64d1cd155faa53d7613565d55c6ed9862b25
The email reporting the theft to OpenSea support is timestamped at 02:11 PM UTC.
The tx hashes show that there was half an hour between OpenSea being alerted to the theft and the subsequent sale on the marketplace.
Admittedly it could be argued that the half-hour window didn’t give OpenSea much time to react, but if this was legacy finance, where automated surveillance systems are in operation, processes would be in place to quickly suspend suspect activity.
But, given its lack of action to prevent the resale, it might be reasonable to conclude that OpenSea doesn’t appear to have had sufficiently robust systems in place to be able to respond to such alerts from users in a timely fashion.
OpenSea’s initial response appears to be deliberately disingenuous
In part, in its only public statement made on the matter to date, an OpenSea spokesperson, stated: “The theft in question took place outside of OpenSea and the items were sold before OpenSea became aware of the reported theft. Soon after we were notified and became aware, we disabled the items and the user’s account has since been unlocked.”
The first clause of the first sentence is correct – it was a phishing attack that had nothing to do with OpenSea. But, if Mr Acres is correct, the rest of that snippet from the statement is wrong. OpenSea, as shown above, was informed of the theft before the sale took place.
The second sentence is disingenuous to say the least as it could be taken to infer that the user’s account was unlocked soon after the two NFTs were disabled, which was not the case – Acres’s account was locked for three and half months.
Indeed, it appears it was when Acres took issue with OpenSea’s failure to prevent the sale of the stolen NFTs, that his account was locked.
In an email to Cryptonews.com, Acres writes:
“Frustrated and believing OS bore some responsibility for what had occurred, I noted that OS should be liable for monetary damages. In response, OS locked my account without notice, request, or permission.”
Acres goes on to allege that “OS demanded that I swear under oath that my wallet has not been compromised (meaning OS would not be liable)”.
According to Acres’s account, when he refused to comply with the alleged demands from OpenSea, he was locked out of his account. Acre further claims that OpenSea, as a result of the lock out, prevented him from trading his 58 NFTs on the OpenSea marketplace.
OpenSea user claims the NFT marketplace “can seize your NFT assets”
Acres writes in his email to Cryptonews.com: “OS represents that its users’ NFTs are not in the custody of OpenSea. Yet, most OpenSea members are unaware that OS can seize your NFT assets and preclude you from moving or trading your NFTs for days, weeks, months, or presumably forever, even if you did nothing wrong.”
The OpenSea help center page, clearly states the opposite to be the case:
“While we can prevent your items from being bought or sold using OpenSea's services, your items remain on the blockchain and are not in the custody of OpenSea.”
OpenSea would not of course be able to prevent a user of the platform from trading their NFTs on a competing marketplace. That means it may not be the case that, strictly speaking, OpenSea “can seize your NFTs”, as Acres claims
However, in practice, most of the liquidity available in the NFT market is to be found on OpenSea. Here we see writ large the limitations of crypto decentralization in practice as opposed to its theoretical intended outcomes.
In a defense of the accusation he levels against OpenSea regarding the lock on his account, Acres told Cryptonews: “Once your wallet is 'locked' or 'blocked' all the items in your wallet are flagged as suspicious and thus no matter what wallet they are transferred to they will never be able to trade on OpenSea until they remove the flag against your account.
“Currently, OpenSea commands over 60% of all NFT trading volume and back when this incident happened it was far greater.
“The trading volume left being split by competitors means that you are not able to get the most competitive pricing and thus again builds into the financial losses being accrued by myself for a wallet lock that was placed on me against my will.
“Most individuals that trade on any OS competitor marketplace often end up using OS as the resale market after they purchase on a competitor's marketplace.
“So again, in this case, all my NFTs would carry this 'suspicious' tag when shown on [the] OS marketplace[;] the new buyer also cannot sell it and thus when they are doing their due diligence during the buying process they wouldn't purchase them as re-sale options would be limited.”
How is that line of argument likely to play out in a court of law?
OpenSea stands accused of attempted extortion
We put the same question, regarding the complainant being free to trade his NFTs elsewhere, to Acres’s lead lawyer, Enrico Schaefer, managing partner at Traverse Legal.
This was his response.
“OpenSea acquired Mr. Acres' assets by assuming control of his account, which constitutes the tort of conversion [lawyer-speak for a form of theft]. This gives individuals who are the victims of theft the legal right to take legal action to recover their damages.
“In essence, conversion provides one with the ability to file a lawsuit to obtain damages for the conversion over their property. Conversion occurs when a person, with the intention and without proper authorization, takes control of another person's property or funds, thereby limiting their ability to access it.
“The control does not need to be exclusive. The lack of response from OpenSea and the attempted extortion to unlock the account must have been a surprise and a cause for concern, as it would be for anyone in a similar situation.”
Why didn’t OpenSea respond in a timely fashion once alerted to the NFT theft?
Furthermore, Traverse Legal on behalf of Acres claims that OpenSeas had three hours to act before the sale of the stolen NFTs took place on its platform.
“If OpenSea had not waited over three hours to actively engage, the NFT could have been locked and potentially returned to his wallet,” writes Traverse Legal.
In fact the lapse of time between being alerted to the theft and their subsequent sale was actually only half an hour, as we mentioned earlier, according to Cryptonews analysis.
Nevertheless, after all of the well-documented issues on the site faced by its users, from insider-dealing to theft, OpenSea should surely by now have implemented systems and processes, automated and human, to immediately pause suspicious activity when it is flagged.
Leaving the timings aside, surely OpenSea would be able to defend themselves on the basis that Acres would have been free to trade his 58 NFTs listed on OpenSea at another venue?
“This matter is best directed to Robbie, who experienced the situation firsthand,” wrote Schaefer in an email to Cryptonews.
He continued: “However, I have previously represented clients facing similar issues. The assertion that ‘a lesser platform with fewer buyers and sellers’ could have been used instead is not a valid excuse for OpenSea to shirk its responsibilities to its platform members.
“OpenSea is the preferred platform for individuals seeking to maximize demand and pricing pressure in the market. Using a platform with a significantly lower sales volume would have resulted in a liquidation sale rather than substantive trading activity.”
The three questions for OpenSea that remain unanswered
What does OpenSea have to say about all this, beyond their initial statement shared with media outlets?
We sent OpenSea the following questions:
- Why was Mr Acres locked out of his account against his will?
- Why was Mr Acres required to perjure himself, as is alleged, in order to get his account unlocked?
- Will Mr Acres receive compensation for losses allegedly incurred in the time that he was unable to access his account?
A week later and we are still yet to hear back from OpenSea.
It is surely the height of irony that a marketplace that trades products based on a technology whose use value is grounded in its ability to securely assign unique identities to digital and non-digital assets and other property, is not able to prevent the proliferation of fraudulent listings and the sale of said stolen assets.
Does OpenSea put the amassing of trading fees revenue above the interests of its users?
We gave Acres the final word. On telephone, in a conversation in which he agreed that the correct timing is half an hour as regards the report of the theft and the sale of the stolen property, he nevertheless insisted: “The major [of his complaint] part is the fact that they locked my account for three and a half months and asked me to perjure myself.
“I completely understand that it is a phishing scam and that acting within 45 minutes to an hour of me being notified myself and then notifying OpenSea – and that half-an-hour stretch in terms of me notifying them that it has been stolen and hoping that they could take some sort of action – is pretty slim, I do completely adhere to that.
“But everything that follows on from that transaction is negligence 101.”
Have you had your account locked by OpenSea in the past; been the victim of attacks by fraudsters but found OpenSea slow to help; or are a creator of NFTs listed on OpenSea struggling with scammers persistently posting fraudulent versions of your products? If so, get in touch with Cryptonews at [email protected].