OpeanSea Phishing Attack Resulted in Stolen NFTs Worth $1.7 Million

Sophie Webster, Tech Times 20 February 2022, 08:02 pm

OpenSea, the largest NFT marketplace, is the latest victim of a cyber attack. The marketplace lost hundreds of NFTs, causing a panic among its users on Feb. 19.

PeckShield, a blockchain security service, created a spreadsheet and did the compilation. The security service counted 254 tokens were stolen during the attack, and it includes tokens from Bored Ape Yacht Club and Decentraland.

OpenSea Lost NFTs

The attack happened between 5PM and 8PM Eastern Standard Time, and it targeted 32 OpenSea users all in all. Molly White, who runs the blog Web3 is Going Great, wrote that the total value of the stolen NFTs is $1.7 million.

The attack took advantage of the flexibility of Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea, according to The Verge.

OpenSea's CEO, Devin Finzer, linked one explanation on Twitter that described the attack in two separate parts. First, the targets signed a partial contract, with a general authorization and massive portions left blank.

Also Read: Adobe Photoshop to Launch 'Content Credentials' to Prevent NFT Art Theft

Since the signature was already placed, the attackers completed the contract and filled the blank parts themselves. It allowed them to transfer ownership of the NFTs without any payment.

In essence, the victims of the attack had signed a blank check, and as soon as it was signed, the attacked filled in the rest of the check so they can easily take the victim's holdings.

One user who goes by Neso said that he checked every single transaction and all have valid signatures from those who lost NFTs, so anyone claiming that they did not get phished but lost NFTS is mistaken.

What is OpenSea

OpenSea has become one of the largest and most valuable companies in the NFT market, and it is currently valued at $13 billion in a recent funding round, according to CNBC.

The marketplace was created to provide a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain.

The success of the marketplace has come with a lot of security issues, as the company has struggled with attacks that leveraged old contacts or poisoned tokens to steal the valuable holdings of its users.

OpenSea was in the middle of updating its contract system when the attack happened, but the marketplace has denied that the attack originated with the new contracts.

The very small number of targets makes such a vulnerability unlikely, since any flaw in the broader platform would be exploited on a far greater scale.

Still, a lot of the details of the attack remain unclear, especially about how the attackers got their targets to sign the half-empty contract.

Finzer wrote on Twitter that the attacks had not originated from the marketplace's website, its various listing systems, or any emails from the company.

The rapid pace of the attack, hundreds of transactions in just a couple of hours, suggests some common vector of attack, but also far no link has been seen.

Finzer added that they will keep people updated as they learn more about the exact nature of the phishing attack, and he is asking the public to let them know if they have any leads.

Earlier this year, hackers stolen Bored Ape and other NFTs worth $2.2 million.

Last year, an NFT game gets called out for alleged stolen art from another game.