If one account holder in the NFT marketplace is to be believed, OpenSea has a security and fraud issue, and if that person is accurate, OpenSea is neglectful in protecting its clients and is guilty of extortion.
Kevin Rose, a famous non-fungible token inventor, collector, and venture investor, would undoubtedly corroborate that theft is a big issue in the non-fungible token arena. A recent phishing attempt caused him to lose a piece of his personal collection that was worth $1.1 million, despite the fact that this incident had nothing to do with OpenSea.
As you’ll see in the next section, Robert Acres was another individual who fell prey to a phishing scam carried out by NFT. Acres, who is not as well-known of an OpenSea user as Rose, fell victim to a phishing scam that caused him to lose two NFTs.
He claims that the primary NFT marketplace, rather than swiftly attempting to assist him in retrieving his stuff and preventing the criminals from reselling it, as OpenSea is known to have done with Rose, ultimately prevented Acres from accessing his account for a period of three months.
During that time period, Acres claims that he was unable to trade the 58 NFTs that were in his account, which resulted in him incurring significant losses.
On OpenSea, it is possible to see listings for the two stolen NFTs that have now been banned, along with a notice stating the products cannot be purchased or sold due to suspicious activity:
The burglar sold the stolen NFTs belonging to Acres for between 0.5 and 0.7 WETH each.
However, Acres reckons that he has lost as much as $500,000 as a consequence of not being able to trade his remaining NFTs on OpenSea. He is suing the NFT marketplace – OpenSea is a trading name of Ozone Networks Inc – to make good on those losses.
He has retained the services of Traverse Legal, with Enrico Schaefer, a managing partner at the firm and a trial attorney who specializes in blockchain and web3, serving as the team’s leader.
Image caption: one of the stolen NFTs: https://opensea.io/assets/ethereum/0xd2f668a8461d6761115daf8aeb3cdf5f40c532c6/2299
OpenSea user says he was locked out of his account after complaining
Acres alleges that when he complained about the slow response by OpenSea to the theft, it was then that the marketplace locked him out of his account.
According to the timestamped support communications with OpenSea seen by Cryptonews, dated July 12th 2021, the day the theft took place, Acres informed OpenSea of the theft prior to the sale of the stolen NFTs on the marketplace.
The transaction hash of the theft is shown on etherscan and timestamped at 01:38 PM UTC: https://etherscan.io/tx/0xa6bc538181d79b342cd69042eac74b9a64a1aeb99ed05d98d3f5c09a6f7bf59d
The sale took place one hour later at 02:38 PM UTC: https://etherscan.io/tx/0xd2327c65e66d0ac94282580f0a8d64d1cd155faa53d7613565d55c6ed9862b25
The email reporting the theft to OpenSea support is timestamped at 02:11 PM UTC.
The tx hashes show that there was half an hour between OpenSea being alerted to the theft and the subsequent sale on the marketplace.
Admittedly it could be argued that the half-hour window didn’t give OpenSea much time to react, but if this was legacy finance, where automated surveillance systems are in operation, processes would be in place to quickly suspend suspect activity.
But, given its lack of action to prevent the resale, it might be reasonable to conclude that OpenSea doesn’t appear to have had sufficiently robust systems in place to be able to respond to such alerts from users in a timely fashion.
OpenSea’s initial response appears to be deliberately disingenuous
In part, in its only public statement made on the matter to date, an OpenSea spokesperson, stated: “The theft in question took place outside of OpenSea and the items were sold before OpenSea became aware of the reported theft. Soon after we were notified and became aware, we disabled the items and the user’s account has since been unlocked.”
The first clause of the first sentence is correct – it was a phishing attack that had nothing to do with OpenSea. But, if Mr Acres is correct, the rest of that snippet from the statement is wrong. OpenSea, as shown above, was informed of the theft before the sale took place.
The second sentence is disingenuous to say the least as it could be taken to infer that the user’s account was unlocked soon after the two NFTs were disabled, which was not the case – Acres’s account was locked for three and half months.
Indeed, it appears it was when Acres took issue with OpenSea’s failure to prevent the sale of the stolen NFTs, that his account was locked.
In an email to Coinbold.io, Acres writes:
“Frustrated and believing OS bore some responsibility for what had occurred, I noted that OS should be liable for monetary damages. In response, OS locked my account without notice, request, or permission.”
Acres goes on to allege that “OS demanded that I swear under oath that my wallet has not been compromised (meaning OS would not be liable)”.
According to Acres’s account, when he refused to comply with the alleged demands from OpenSea, he was locked out of his account. Acre further claims that OpenSea, as a result of the lock out, prevented him from trading his 58 NFTs on the OpenSea marketplace.
OpenSea user claims the NFT marketplace “can seize your NFT assets”
Acres writes in his email to Coinbold.io: “OS represents that its users’ NFTs are not in the custody of OpenSea. Yet, most OpenSea members are unaware that OS can seize your NFT assets and preclude you from moving or trading your NFTs for days, weeks, months, or presumably forever, even if you did nothing wrong.”
The OpenSea help center page, clearly states the opposite to be the case:
“While we can prevent your items from being bought or sold using OpenSea’s services, your items remain on the blockchain and are not in the custody of OpenSea.”
OpenSea would not of course be able to prevent a user of the platform from trading their NFTs on a competing marketplace. That means it may not be the case that, strictly speaking, OpenSea “can seize your NFTs”, as Acres claims
However, in practice, most of the liquidity available in the NFT market is to be found on OpenSea. Here we see writ large the limitations of crypto decentralization in practice as opposed to its theoretical intended outcomes.
In a defense of the accusation he levels against OpenSea regarding the lock on his account, Acres told Cryptonews: “Once your wallet is ‘locked’ or ‘blocked’ all the items in your wallet are flagged as suspicious and thus no matter what wallet they are transferred to they will never be able to trade on OpenSea until they remove the flag against your account.
“Currently, OpenSea commands over 60% of all NFT trading volume and back when this incident happened it was far greater.
“The trading volume left being split by competitors means that you are not able to get the most competitive pricing and thus again builds into the financial losses being accrued by myself for a wallet lock that was placed on me against my will.
“Most individuals that trade on any OS competitor marketplace often end up using OS as the resale market after they purchase on a competitor’s marketplace.
“So again, in this case, all my NFTs would carry this ‘suspicious’ tag when shown on [the] OS marketplace[;] the new buyer also cannot sell it and thus when they are doing their due diligence during the buying process they wouldn’t purchase them as re-sale options would be limited.”
How is that line of argument likely to play out in a court of law?
OpenSea stands accused of attempted extortion
We put the same question, regarding the complainant being free to trade his NFTs elsewhere, to Acres’s lead lawyer, Enrico Schaefer, managing partner at Traverse Legal.
This was his response.
“OpenSea acquired Mr. Acres’ assets by assuming control of his account, which constitutes the tort of conversion [lawyer-speak for a form of theft]. This gives individuals who are the victims of theft the legal right to take legal action to recover their damages.
“In essence, conversion provides one with the ability to file a lawsuit to obtain damages for the conversion over their property. Conversion occurs when a person, with the intention and without proper authorization, takes control of another person’s property or funds, thereby limiting their ability to access it.
“The control does not need to be exclusive. The lack of response from OpenSea and the attempted extortion to unlock the account must have been a surprise and a cause for concern, as it would be for anyone in a similar situation.”
Why didn’t OpenSea respond in a timely fashion once alerted to the NFT theft?
Furthermore, Traverse Legal on behalf of Acres claims that OpenSeas had three hours to act before the sale of the stolen NFTs took place on its platform.
“If OpenSea had not waited over three hours to actively engage, the NFT could have been locked and potentially returned to his wallet,” writes Traverse Legal.
In fact the lapse of time between being alerted to the theft and their subsequent sale was actually only half an hour, as we mentioned earlier, according to Cryptonews analysis.
Nevertheless, after all of the well-documented issues on the site faced by its users, from insider-dealing to theft, OpenSea should surely by now have implemented systems and processes, automated and human, to immediately pause suspicious activity when it is flagged.
Leaving the timings aside, surely OpenSea would be able to defend themselves on the basis that Acres would have been free to trade his 58 NFTs listed on OpenSea at another venue?
“This matter is best directed to Robbie, who experienced the situation firsthand,” wrote Schaefer in an email to Cryptonews.
He continued: “However, I have previously represented clients facing similar issues. The assertion that ‘a lesser platform with fewer buyers and sellers’ could have been used instead is not a valid excuse for OpenSea to shirk its responsibilities to its platform members.
“OpenSea is the preferred platform for individuals seeking to maximize demand and pricing pressure in the market. Using a platform with a significantly lower sales volume would have resulted in a liquidation sale rather than substantive trading activity.”
The three questions for OpenSea that remain unanswered
What does OpenSea have to say about all this, beyond their initial statement shared with media outlets?
We sent OpenSea the following questions:
- Why was Mr Acres locked out of his account against his will?
- Why was Mr Acres required to perjure himself, as is alleged, in order to get his account unlocked?
- Will Mr Acres receive compensation for losses allegedly incurred in the time that he was unable to access his account?
A week later and we are still yet to hear back from OpenSea.
It is surely the height of irony that a marketplace that trades products based on a technology whose use value is grounded in its ability to securely assign unique identities to digital and non-digital assets and other property, is not able to prevent the proliferation of fraudulent listings and the sale of said stolen assets.
Does OpenSea put the amassing of trading fees revenue above the interests of its users?
We gave Acres the final word. On telephone, in a conversation in which he agreed that the correct timing is half an hour as regards the report of the theft and the sale of the stolen property, he nevertheless insisted: “The major [of his complaint] part is the fact that they locked my account for three and a half months and asked me to perjure myself.
“I completely understand that it is a phishing scam and that acting within 45 minutes to an hour of me being notified myself and then notifying OpenSea – and that half-an-hour stretch in terms of me notifying them that it has been stolen and hoping that they could take some sort of action – is pretty slim, I do completely adhere to that.
“But everything that follows on from that transaction is negligence 101.”
Compiled by Coinbold via Cryptonews