A lawsuit has been filed in the Southern District of Texas against OpenSea - a leading Non-Fungible Token (NFT) marketplace. The plaintiff alleges that his 'Bored Ape Yacht Club NFT' was stolen in early February due to a vulnerability in the OpenSea platform that allowed:
an outside party to illegally enter through OpenSea’s code and access Plaintiff's NFT wallet...
The plaintiff further alleges that OpenSea had knowledge of the security issue. The vulnerability apparently allowed fraudsters to buy NFTs at a cheaper price than should be the case if a user had not cancelled a sale listing connected to their digital wallet.
OpenSea previously advised users in January that they should cancel all old NFT sale listings connected to their wallet to protect themselves against this type of attacks. This is alleged to have put NFT owners at greater risk as:
every NFT holder trying to cancel [their] listings [while] hackers [are told how] to steal their digital assets.
This is an age old problem when a security issue is found and one which can be more difficult when smart contracts or standing offers are issued on smart contracts. Smart contracts usually cannot be upgraded swiftly if a bug is found and migrating to a new contract can take time.
In this case, the plaintiff further alleges that OpenSea ignored his request to resolve the situation and potentially reverse the transaction (it's not clear that OpenSea even could have reversed the transaction at all given the transfer was recorded on a blockchain). The plaintiff has sought damages for the loss of the (currently) highly valuable Bored Ape NFT.
One interesting point is that because the property alleged to be stolen is entirely identifiable, it may be possible to trace the holder and the value of the allegedly stolen Ape might be impacted as a result.
If the matter reaches a final judgment we may have interesting US judicial comment on the status of NFTs as property, and how that is addressed under US law, as well as application of a theory of liability on those who offer services adjacent to smart contracts.