Opensea phishing

Another Day, Another $2 Million OpenSea Scandal

You wouldn’t want to be in OpenSea’s shoes right now. After a tough few months, the peer-to-peer marketplace for NFTs, rare digital items and crypto-collectibles has once again found itself in hot water after a group of users were hacked, leading to the loss of over 250 high-value tokens. According to a spreadsheet compiled by the blockchain security service PeckShield, a total of 254 tokens from 32 users were stolen in what is being described as a major ‘phishing attack’. Among the lost tokens were highly coveted tokens from Decentraland and Bored Ape Yacht Club, with prominent specialist Molly White estimating the value of the stolen tokens at roughly 641 ETH or more than USD$1.7 million (AUD$2.37 million).

You’ll also like:
Are NFTs Scams? We Asked the Experts
What is an NFT? A Guide to Non-Fungible Tokens
OpenSea Employee Resigns Amid NFT Insider-Trading Scandal

What is an nft 3

As The Verge rightly points out, the attacks appear to have explored a slight lapse in the Wyvern Protocol, the open-source standard that generally underpins NFT contacts. The decentralised digital asset exchange protocol allows you to buy and sell virtually anything, with the codebase open sources, permissively licensed, and third-party audited. According to OpenSea co-founder and CEO Devin Finzer, however, attackers were able to get victims to sign a partial contract, with the general authorization and large portions left blank. The proverbial ‘blank cheque’ allowed the perpetrators to complete the contract with a call to their own contract, transferring ownership of the tokens without payment.

“We have confidence that this was a phishing attack,” Finzer explained on Twitter. “We don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users.”

Importantly, Finzer did go on to explain that the fraudulent behaviour did not originate on OpenSea itself. In fact, the platform is not aware of any of the affected users receiving or clicking links in suspicious emails, with mining, buying, selling or listing items on the service not a vector for attack. The confirmation does take the heat off OpenSea slightly, but with so many sceptical of the NFT community, attacks like this don’t serve the industry well.

Earlier this month, OpenSea was forced to remove its shared storefront contract, admitting that around 80 per cent of the NFTs minted through its free creation tool had been identified as fraudulent, spam or scams. The announcement put fear in the hearts of investors and saw a number of opportunist attackers look for ways to break the lines. Remarkably, what some users identified was that the platform was susceptible to attacks that leveraged old contracts to steal users’ valuable holdings, a concerning development.

By all accounts, OpenSea was in the process of updating its contract system when this most recent attack took place, but that provides little consolation for those 32 users who have been duped of their tokens. If you want to make sure you don’t come a cropper to a fraudulent NFT sale, check out our guide to NFT scams.

EDITOR-IN-CHIEF

Nick Hall

Nick Hall is the Editor-in-Chief of Man of Many and an accomplished journalist. He completed a Bachelor of Creative Industries at the Queensland University of Technology, with a double major in Journalism and Music. Prior to working at Man of Many, Nick spent two years as a journalist with Inside Franchise Business, focusing on small business, finance and legal reporting. In 2021, Nick was named B&T's Best of the Best Journalist of the Year. With an extensive background in the media industry, Nick specialises in feature writing, fashion, lifestyle and entertainment content. A qualified barber and men's stylist, Nick also holds a Cert III in Barbering from the Queensland Hairdressing Academy.