On Saturday, attackers stole hundreds of NFTs from OpenSea users, prompting a late-night panic among the site’s large user base. A spreadsheet created by the blockchain security service PeckShield counted 254 tokens stolen throughout the duration of the hack, including tokens from Decentraland and Bored Ape Yacht Club.
The bulk of the attacks took place between 5PM and 8PM ET, attacking 32 users in all. Molly White, who writes the blog Web3 is Going Great, estimated the worth of the stolen tokens at more than $1.7 million.
$1.7 million NFTs Stolen
The hack appears to have exploited a weakness in the Wyvern Protocol, the open-source standard powering most NFT smart contracts, including those made on OpenSea. One explanation (posted by CEO Devin Finzer on Twitter) explained the attack in two parts: first, targets signed a partial contract, with a general authorisation and huge chunks left blank. With the signature in place, attackers finalised the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and after it was signed, attackers filled in the rest of the check to seize their possessions.
“I reviewed every transaction,” stated the user, who goes by Neso. “They all have genuine signatures from the folks who lost NFTs so anyone saying they didn’t get phished but lost NFTs is tragically wrong.”
Valued at $13 billion in a recent investment round, OpenSea has become one of the most valuable firms of the NFT boom, providing a straightforward interface for users to list, explore, and bid on tokens without interacting directly with the blockchain. That success has come with serious security challenges, as the business has grappled with hacks that utilised old contracts or poisoned tokens to take users’ valuable holdings.
OpenSea was in the process of modernising its contract system when the attack took place, however OpenSea has denied that the hack originated with the new contracts. The comparatively limited number of targets makes such a vulnerability improbable, since any flaw in the broader platform would likely be exploited on a significantly greater scale.
Phishing Attack On OpenSea Users
Still, many specifics of the attack remain unclear — particularly the approach attackers used to get recipients to sign the half-empty contract. Writing on Twitter soon before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its numerous listing systems, or any emails from the company. The quick tempo of the attack – hundreds of transactions in a couple of hours — suggests some common vector of attack, but so far no relationship has been uncovered.
“We’ll keep you updated as we discover more about the actual nature of the phishing attack,” stated Finzer on Twitter. “If you have specific information that could be relevant, please DM @opensea support.”