You wouldn’t want to be in OpenSea’s shoes right now. After a tough few months, the peer-to-peer marketplace for NFTs, rare digital items and crypto-collectibles has once again found itself in hot water after a group of users were hacked, leading to the loss of over 250 high-value tokens. According to a spreadsheet compiled by the blockchain security service PeckShield, a total of 254 tokens from 32 users were stolen in what is being described as a major ‘phishing attack’. Among the lost tokens were highly coveted tokens from Decentraland and Bored Ape Yacht Club, with prominent specialist Molly White estimating the value of the stolen tokens at roughly 641 ETH or more than USD$1.7 million (AUD$2.37 million).
As The Verge rightly points out, the attacks appear to have explored a slight lapse in the Wyvern Protocol, the open-source standard that generally underpins NFT contacts. The decentralised digital asset exchange protocol allows you to buy and sell virtually anything, with the codebase open sources, permissively licensed, and third-party audited. According to OpenSea co-founder and CEO Devin Finzer, however, attackers were able to get victims to sign a partial contract, with the general authorization and large portions left blank. The proverbial ‘blank cheque’ allowed the perpetrators to complete the contract with a call to their own contract, transferring ownership of the tokens without payment.
“We have confidence that this was a phishing attack,” Finzer explained on Twitter. “We don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users.”
Using the listing migration tool on OpenSea to migrate listings to the new Wyvern 2.3 contract is not a vector for the attack.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Importantly, Finzer did go on to explain that the fraudulent behaviour did not originate on OpenSea itself. In fact, the platform is not aware of any of the affected users receiving or clicking links in suspicious emails, with mining, buying, selling or listing items on the service not a vector for attack. The confirmation does take the heat off OpenSea slightly, but with so many sceptical of the NFT community, attacks like this don’t serve the industry well.
Earlier this month, OpenSea was forced to remove its shared storefront contract, admitting that around 80 per cent of the NFTs minted through its free creation tool had been identified as fraudulent, spam or scams. The announcement put fear in the hearts of investors and saw a number of opportunist attackers look for ways to break the lines. Remarkably, what some users identified was that the platform was susceptible to attacks that leveraged old contracts to steal users’ valuable holdings, a concerning development.
By all accounts, OpenSea was in the process of updating its contract system when this most recent attack took place, but that provides little consolation for those 32 users who have been duped of their tokens. If you want to make sure you don’t come a cropper to a fraudulent NFT sale, check out our guide to NFT scams.