$1.7 million in NFTs stolen in apparent phishing attack on OpenSea users
$1.7 million in NFTs stolen in apparent phishing attack on OpenSea users
On Saturday, attackers stole hundreds of NFTs from OpenSea users, causing late-night chaos among the site's wide user base. A spreadsheet compiled by blockchain security service PeckShield counted 254 tokens stolen during the attack, including tokens from Decentraland and Bored Ape Yacht Club.
Most of the attacks took place between 5 pm. and 8 p.m. ET, targeting a total of 32 users. Molly White, who runs the Web3 Is Going Great blog, estimated the value of the stolen tokens to exceed $1.7 million.
The attack appears to have exploited flexibility in the Wyvern protocol, the open-source standard underlying most NFT smart contracts built on OpenC. An explanation (linked to by CEO Devin Finzer on Twitter) described the attack in two parts: first, Target signed a partial contract, one with general authorization and a large part left blank. With the signing, the attackers completed the contract with a call to their own contract, which transferred ownership of the NFT without payment. In essence, the targets of the attack had signed a blank check - and once it was signed, the attackers filled in the rest of the check to take their hold.
“I checked every transaction,” said the user, who goes by Neso. “They all have valid signatures of people who lost the NFT, so no one claims they were caught, but the NFT was lost, sadly.”
Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies in the NFT boom, providing users with a simple interface to list, browse and bid for tokens without directly interacting with the blockchain. Is. does. This success comes with significant security issues, as the company battles attacks that take advantage of old contracts or poison tokens to steal users' valuable holdings.
OpenSea was in the process of updating its contract system when the attack occurred, but OpenSea has denied that the attack was triggered by new contracts. The relatively small number of targets makes such a vulnerability impossible, as any flaw in a wider platform can be exploited on a far greater scale.
Nevertheless, many details of the attack remain unclear - particularly the manner in which the attackers achieved the target by signing a half-empty contract. Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks did not originate from OpenSea's website, its various listing systems, or any of the company's emails. The sheer speed of the attack - hundreds of transactions in just a few hours - suggests some common vector of attack, but no link has yet been discovered.
"We'll keep you updated as we learn more about the exact nature of the phishing attack," Finzer said on Twitter. "If you have specific information that may be useful, please DM @opensea_support."
No comments