how to buy a bored ape for less than list price

There’s been a lot of buzz around Bored Ape Yacht Club lately. Mostly because of the community’s apparent lack of awareness of how their multi-thousand dollar JPEGs actually work.

In a recent incident one community member claimed to be a victim of a hack when his Bored Ape was sold for less than his current listing price. Was this a hack though? Was is a bug in the NFT marketplace code? Let’s break it down to find out.

To start here’s a quick TLDR on NFTS. An NFT is a token that can represent almost anything. Most commonly they represent an image. The image it represents and who owns this representation are managed by a smart contract on a blockchain like Ethereum.

What happens when a user wants to sell their Ape NFT? First they go to a marketplace like OpenSea. To list an NFT for sale takes at least two steps.

  1. The user must give the OpenSea smart contract permission to transfer their NFT on the user’s behalf. This is usually done by calling a function on the particular NFT contract called setApprovalForAll . It’s important to note that once this method is called, the OpenSea contract can now transfer EVERY NFT the user owns that is part of that same smart contract. So in the case of a Bored Ape, OpenSea can theoretically transfer every Bored Ape that user owns in that particular wallet. This isn’t some malicious action on OpenSea’s part though. It’ s just a way to save the user gas by not having to call approve for each individual NFT when they want to sell.
  2. The user chooses a token and amount they are willing to sell for. This information along with the wallet address of the seller and the ID of the token are then signed by the user’s wallet. This signature is essential a permission slip that anyone can use to purchase this NFT for that specific price in that specific token. A buyer would later submit this signature along with payment to OpenSea and OpenSea would transfer that NFT to the buyer and then transfer payment to the seller.

What happens when a user wants to change the price of the NFT they are selling?

  1. The user needs to first invalidate the previous signature. The ONLY way to do this is to tell the smart contract on OpenSea that the previous signature is invalid. This involves calling a function on OpenSea’s contract and involves paying some gas fees. The Bored Ape user mentioned before tried a different method though. They transferred their Ape to another wallet. This works as long as that Ape stays in the other wallet. Remember that the permission slip allows anyone to purchase the Ape from the previous wallet at the previous price. If the Ape isn’t in the previous wallet there is no way a user can purchase it. The mistake they made was transferring the Ape back to the previous wallet. By doing this all of the conditions for sale are back on the table.
  2. After invalidation the previous signature, the user can now choose a new price and create a new signature or permission slip. If the previous signature is still valid though anyone with that signature can still purchase at the previous price. Both signatures are valid but of course any rational person would buy at the cheaper price. This is exactly what happened with the Bored Ape.

How can this be prevented? There are few ways but the ONLY sure way is to invalidate or cancel the sell order with the smart contract of the marketplace you are selling on. Here are some other ways with caveats.

  1. Remove approval from OpenSea or other marketplace to transfer your NFTs. This works only until you give approval again for OpenSea to transfer from that NFT contract.
  2. Add an expiration to the sell order if possible. This can save some gas for users as the signature is automatically invalid once the expiration time is reached. No need to invalidate it manually. Remember that creating a new sell order before the expiration without invalidating the previous sell order will still allow someone to execute the old sell order.

That’s it. I hope this shed some light on how NFTs are sold on marketplaces and gives you some more clarity on what is going on behind the scenes so you don’t become another memable statistic on Crypto Twitter.

What The Func?

© 2022 What The Func?
Dropping web3 knowledge since 2017