In yet another alarming development, OpenSea, the world’s largest NFT marketplace, disclosed that it had been attacked by a phishing attempt, with at least 32 customers losing NFTs valued at US$1.7 million. This comes after Devin Finzer, the co-founder and CEO of Opensea has rebutted reports that the NFT marketplace has been breached.
The incident occurred when OpenSea was migrating to its new Wyvern smart contract system, which started on Friday and is expected to be finished by February 25. Wyvern smart contract is an open-source standard commonly used in NFT smart contracts and Web3 applications, notably OpenSea. Users of OpenSea were obliged to convert their listed NFTs from the Ethereum blockchain to a new smart contract as part of the contract upgrade. Users that do not transfer from Ethereum risk losing their old, inactive listings, which presently do not require gas fees for migration. The contract upgrade to remove inactive NFTs from the platform had a one-week deadline attached to it. To assist them, the platform sent out emails to all users with advice on how to confirm the listings’ migration.
The news of attackers hacking the to-be-listed NFTs broke just hours after OpenSea announced its update. The phishing actors took advantage of this process and sent the message from OpenSea to authenticated individuals using their own email addresses, fooling them into thinking their original confirmation had failed.
According to an explanatory thread posted by Finzer, the victims were asked to sign half of a Wyvern order. Except for call data and a target of the attacker’s contract, the order was practically empty, with the victim signing half and the attacker signing the other.
Following signature, the attacker calls their own contract listed in the double-signed order, which initiates the transfer of the victim’s NFTs to the attacker.
According to Finzer, OpenSea determined that neither its website nor a previously unknown weakness in the platform’s NFT minting, purchasing, selling, or listing functions was used in the attack. Clicking on the site’s banner, signing the new Wyvern smart contract, and migrating listings to the new Wyvern contract system through OpenSea’s listing migration tool were all found to be secure.
As per Peckshield, a blockchain security firm, up to 254 tokens were taken, including NFTs from Decentraland, Azuki collections, and the Bored Ape Yacht Club. Molly White, the creator of the Web3 is Going Great blog, estimated the loot to be worth 641 Ethereum. In addition, according to the security firm, the OpenSea hacker(s) allegedly misused the privacy mixer application Tornado Cash to wash ETH 1,100. Tornado Cash has the ability to mask the Ether tokens’ final destination.
The phishing attack is currently being investigated by OpenSea. Current examination indicated that the NFTs were stolen using phishing emails before being moved to OpenSea’s new smart contract. At the moment, OpenSea has denied that the attack was caused by the new contracts and the phishing emails had originated from outside the platform.
Finzer stated that they have yet to determine which websites were fooling users into maliciously signing mails at this time. In the meanwhile, OpenSea is notifying concerned users to offer assistance with the next steps.
NFTs are digital tokens that serve as proofs of authenticity for, and in certain cases, ownership of, assets ranging from high-end ape paintings to collectibles such as celebrity signatures and tangible commodities such as a case of rare whiskey.
With over one million active user wallets and a market capitalization of $13 billion, OpenSea is one of the largest NFT marketplaces. According to Dune Analytics, a Blockchain analytics business, its average daily trade volume is over $260 million, with a monthly volume of over $2 billion in January 2022. According to blockchain tracking service DappRadar, the platform has done $21.8 billion in lifetime trades, which is around $5 billion more than the second-largest platform — LooksRare.
CheckPoint Research issued a security alert in October 2021 regarding a vulnerability in OpenSea that, if abused, may have let attackers take over user accounts and empty their crypto wallets by sending malicious NFTs. In fact, according to a report released earlier this month by Chainalysis, illicit wallets amassed nearly $11 billion in cryptocurrency in 2021 alone.
Last year, a phishing scam led to the loss of 15 NFTs worth $2.2 million from Todd Kramer’s Ethereum wallet. Among the NFTs hacked were four from the Bored Ape Yacht Club. The British heavy metal legend, Ozzy Osbourne debuted his CryptoBatz collection in January, which consists of 9,666 digital bats modeled after Osbourne’s personality. However, only two days after the tokens were issued, collectors reported being targeted by a phishing scam that drains cryptocurrency from their wallets, via a faulty link posted by the project’s official Twitter account. Wormhole Portal, a crypto platform, was hacked in February of this year, losing $322 million, making it the second-largest hack in the Defi industry.
It also noted that the tendency of hackers to create enthusiasm around a project in order to inflate pricing before abandoning it has become more common in the last year or so.