Quick Summary
- Opensea got hacked and many users lost their NFTs as a result. The exact number of NFTs stolen is unclear but a significant number of tokens were stolen.
Non-fungible tokens (NFTs) get a lot of recognition in the world but there are certain risks connected to them. Lately, Hackers were able to steal some NFTs from the biggest marketplace in the world, Opensea. Let’s have a look at how it happened.
related: Snoop Dogg Opened NFT Music Label
Details About Update of Contract System
Opensea announced the new up-gradation of its contract system. This smart contract update involved the delisting of inactive NFTs and gave its users a deadline of 1 week in which they have to shift their listed NFTs from Ethereum (ETH) blockchain to a new smart contract.
Rumors Regarding This Phishing Attack
Many rumors have been roaming that this was a $200 million hack. However, Devin denies it by saying that the attacker has sold some of the stolen NFTs and only has $1.7 million of ETH in his wallet. Moreover, the blockchain security service PeckShield surveyed that the stolen tokens were from Decentraland and Bored Ape Yacht Club (BAYC).
He also suspects that there was a leakage of the personal information of the users, which aided the attackers. As this attack happened shortly after the announcement of the upgrade, many people suspect that this originated because of the upgrade, however, the CEO tweeted that the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company.
Assumptions About The Attack
According to a BBC report, this attack happened nearly as the UK tax authority grabbed three NFTs as part of an inquiry into a 1.4 million British pounds (almost $1.9 million) fraud case. The Wyvern Protocol is an open-source standard underlying most NFT smart contracts, including those also made on Opensea.
The attackers have most likely exploited its flexibility and have stolen the NFTs. The CEO explained how the attack took place in a two-step procedure on Twitter. Firstly, the targeted persons signed the contract partially with a general authorization and unfilled primary information.
When the attackers saw the signature in place, they completed the contract with a call to their contract and transferred ownership of the NFTs regardless of the payment. It is similar to the situation that targets of the attack had signed a blank check, and attackers have filled in the rest of the check to take their holdings.
Conclusion
The speedy attack involving hundreds of transactions in a matter of hours depicts some common vector of attack, but no link has been discovered until now. “We’ll keep you updated about the progress as we learn more about the exact nature of the phishing attack,” said Finzer on Twitter. “If you have specific information that could be useful, please DM @opensea_support.”
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.