Image: Unsplash

OpenSea is facing a new lawsuit, with the “eBay of NFTs” being accused – again – of maintaining a platform that is rife with “security vulnerabilities.” According to the complaint that he filed in a New York state court on April 5, Michael Vasile alleges that Ozone Networks, Inc. d/b/a OpenSea is on the hook for negligence and breach of contract on the basis that it “was aware of its users losing non-fungible tokens (‘NFTs’) due to the security vulnerabilities in [its] platform,” and yet, it continued operating, “leaving its users at risk.”

In the newly-filed complaint, Vasile claims that “OpenSea’s vulnerabilities allowed others to enter through its code and force the sale of an NFT … through no fault of the owner.” The NFT at issue is Bored Ape #8858, a token from Yuga Labs’ Bored Ape Yacht Club collection, which Vasile alleges was “taken from him, through a forced listing and sale of the NFT for 24.89 ETH ($81,363), a fraction of its value.” (The plaintiff contends that at some point prior to his NFT being stolen on January 26, 2021, it was listed for 135 ETH ($441,302).) Within an hour of the “forced sale at 24.89 ETH,” Vasile – who acquired the NFT in August 2021 for 12.65 ETH – states that it was then “resold to another user for 92.9 ETH.” 

Despite having “full knowledge” that security issues were putting its platform and the tens of millions of NFTs listed on it at risk, Vasile alleges that OpenSea “did not properly inform its users and did not timely put adequate safety measures in place” leading up to or in the immediate wake of the widely-reported January 2022 phishing attack that reportedly cost OpenSea users millions of dollars in stolen NFTs, including more than one Bored Ape Yacht Club NFT. “Instead of shutting down its platform to address and rectify these security issues,” Vasile claims that OpenSea “continued to operate, risk[ing] the security of its users’ NFTs and digital vaults in order to continue collecting 2.5 percent of every transaction uninterrupted.” 

The “proximate result” of OpenSea’s failure to take action, per Vasile, was the loss of his NFT, which has “significant value” thanks to its rarity compared many of the 10,000 NFTs in the BAYC collection. According to the lawsuit, Vasile’s Bored Ape has a rarity score of is 71.44 and a rarity rank of #7589, making it “a highly desirable NFT, due to the rarity and certain characteristics (e.g., the Captain’s hat, colors, etc.).” Beyond that, Vasile states that he was actively deriving value from the NFT in the form of royalty revenues, as the Bore Ape at the heart of his NFT was licensed to “The Writer’s Room,” and therefore, generated royalties from fellow Bored Ape Jenkins the Valet. 

(Yuga Labs provides the purchasers of their NFTs, including those from the BAYC collection, with unlimited commercial rights in the unique Apes, thereby, enabling purchasers to monetize them by way of various ventures. According to Yuga’s terms and conditions, “When you purchase an NFT, you own the underlying Bored Ape, the Art, completely.” More than that, purchasers obtain an unlimited, worldwide license to create derivative works based upon the underlying art with no cap on the revenue that a purchaser can generate or earn.)

Vasile asserts in the new lawsuit that OpenSea, which “has handled over $11 billion in sales to date, including the sale of a Bored Ape Yacht Club NFT for $3 million,” owed a duty of care to its users and breached that duty by “failing to exercise reasonable care; failing to use reasonable security systems and networks; [and] failing to institute safety protocols,” among other things. At the same time, Vasile argues that “by entering into contracts and/or implied contracts with [OpenSea], users expected [the platform’s] security practices to comply with laws and regulations.” Users also expected OpenSea to “reasonably protect wallets that were connected to its platform,” and that by failing to do so, Vasile claims that OpenSea is on the hook for breach of contract and implied contract. 

With the foregoing in mind, Vasile is seeking “the return of the Bored Ape, damages equivalent to the valuation of the Bored Ape, damages associated with lost royalties, and/or monetary damages over $1,000,000,” as well as injunctive relief to bar OpenSea from listing or sale of the Bored Ape NFT at issue. 

The lawsuit follows from the filing of two similar complaints have been filed against OpenSea, one filed in federal court in Nevada and another in a Texas federal court, with both centering on the alleged theft of Bored Ape NFTs from the OpenSea platform in the wake of the January 2022 phishing attack and both generally accusing the platform of failing to maintain “common sense and reasonable security measures” to protect users from fraud and from the sale of stolen NFTs.

The enduring rise in claims of phishing and theft of high-value NFTs also comes as headline-making deals are coming into fruition in the NFT space. BAYC creator Yuga Labs, for instance, acquired the IP of the CryptoPunks and Meebits NFT collections from Larva Labs, another giant in the digital assets space, in March. Around the same time, Universal Music Group acquired Bored Ape #5537 from its former owner for $360,817, revealing that the Ape at the heart of the NFT will join the digital musical group, Kingship, that Universal’s next-gen label 10:22PM created in November 2021.

The case is Michael Vasile v. Ozone Networks, Inc. d/b/a OpenSea, 651589/2022 (N.Y. Sup.)