OpenSea launches investigation into user NFT theft
The NFT marketplace OpenSea has launched an investigation into rumors of an exploit related to its smart contracts. The company said this was a phishing attack — no issues on the platform’s side have been found.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
“We are actively investigating rumors about an exploit related to OpenSea’s smart contracts. It appears to be a phishing attack originating from outside sources. Do not follow links outside opensea.io,” the statement says.
On Friday, February 18, the OpenSea smart contract was restarted. The initiative aims to remove from the platform old sale listings and close vulnerability, which allowed some tokens to be purchased at prices from months earlier, even if they did not appear in the marketplace’s interface.
On February 19, reports appeared on the network about thefts of users’ non-fungible tokens. There were rumours about a $200 million hack, but OpenSea co-founder Devin Finzer denied this. According to him, there is $1.7 million in ETH at the attacker’s address, which he obtained from selling part of the stolen NFTs.
Importantly, rumors that this was a $200 million hack are false. The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
According to Finzer, the incident affected at least 32 users. PeckShield analysts published a list of stolen NFTs; the document lists 253 items. Among these assets are tokens from Bored Ape Yacht Club, Azuki, CloneX, Mutant Ape Yacht Club and others.
Here is the list of NFTs stolen in @opensea phishing incidenthttps://t.co/s9OmiJu2m3 pic.twitter.com/xE1tFJnDMK
— PeckShieldAlert (@PeckShieldAlert) February 20, 2022
OpenSea narrowed the list of those affected from 32 to 17. It now includes users whose NFTs were stolen.
1) We’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32. Our original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack.
— OpenSea (@opensea) February 21, 2022
According to the marketplace, in the last 15 hours the attacker’s address has been inactive. The investigation continues, according to OpenSea representatives.
The OpenSea investigation is not yet complete, but the company has already drawn some conclusions. According to Finzer, the project team is confident that the tokens were stolen as a result of a phishing attack outside the platform.
The co-founder of the marketplace emphasized that the company ruled out the following attack vectors:
- a breach of OpenSea’s mail server;
- compromise of the platform’s website, including tools for buying, selling or listing items;
- compromise of the new Wyvern 2.3 smart contract;
- compromise of the token-migration tool to the new contract.
Finzer explained that the attacker has already stopped the attack. He pledged to share information about the incident with users as the investigation progresses.
While the attacker stopped >4 hours ago, our investigation is ongoing. We’ll keep you updated as we learn more about the exact nature of the phishing attack. If you have specific information that could be useful, please DM @opensea_support.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
PeckShield also reported that tokens were stolen during the phishing attack. Experts say users were sent fake messages about migrating NFTs to a new smart contract. After signing the transaction, the link contained in the emails led to the theft of assets.
Though unconfirmed, the @opensea hack is most likely phishing. Users authorize the “migration” as instructed in the phishing email and the authorization unfortunately allows the hacker to steal the valuable NFTs… pic.twitter.com/Fj5d9ImC2r
— PeckShield Inc. (@peckshield) February 20, 2022
“The only question left for OpenSea is whether there was a data leak of user information (for example, email addresses) that allowed the phishing to proceed,” PeckShield added.
EthHub co-founder and co-author EIP-1559 Eric Conner suggested that the attack on the marketplace could have looked like this:
- Four weeks ago, the attacker prepared a phishing attack or a smart contract;
- Since then, he coerced victims into signing valid orders and permissions;
- The hacker did not use them, believing the attack would be noticed quickly;
- The migration to the new contract prompted him to wrap up the scam.
So, the approvals were done legit on opensea by those exploited but the signatures they signed gave the hacker access to fill malicious orders.
— Eric ⌐◨-◨ (@econoar) February 20, 2022
A developer using the handle 0xfoobar warned that a single malicious signature could rug all of your OpenSea NFTs on the platform.
A single malicious signature can rug *all* of your approved OpenSea NFTs. No need to sign an individual sell order for each one, as originally assumed.
This is how today’s hacker stole 10 Azukis, 8 mfers, and 3 mutant apes in a single transaction, with a single sig. pic.twitter.com/kJQgidthFM
— foobar (@0xfoobar) February 20, 2022
He believes the phishing attack was carried out several weeks ago, the attacker decided to finish it before the expiry of the old listing lists. 0xfoobar explained that all stolen tokens were minted on the first version of the contract.
The developer advised users to revoke any permissions granted to OpenSea. He stressed that the platform’s code contains no vulnerabilities.
In February 2022, Binance chief Changpeng Zhao warned clients about a sweeping phishing campaign.
Read ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analysis.
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!