OpenSea users lose hundreds of NFTs in likely phishing attack
The damage is estimated at $1.7 million.
NFT marketplace OpenSea is investigating a “phishing attack” that has left more than two dozen of its users without access to some of their most valuable digital tokens. On late Saturday evening, panic hit the platform when someone stole hundreds of NFTs.
We have confidence that this was a phishing attack. We don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users. Specifically:
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Over several hours that afternoon, the attacker targeted 32 accounts and obtained 254 tokens, according to a spreadsheet compiled by Blockchain security service PeckShield. Among the stolen NFTs are tokens from the Bored Ape Yacht Club and Azuki collections. One estimate by Molly White, the creator of the Web3 is Going Great blog, pegged the haul at 641 Ethereum (approximately $1.7 million at the time of this article).
“We have confidence that this was a phishing attack,” said Devin Finzer, the co-founder and CEO of OpenSea, in a tweet posted early Sunday morning. “We don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users.”
According to Finzer, OpenSea determined its website was not a vector for the attack, nor did someone exploit a previously unknown vulnerability in the platform’s NFT minting, buying, selling and listing features. “Interaction with an OpenSea email is not a vector for attack,” said Finzer. “In fact, we are not aware of any of the affected users receiving or clicking links in suspicious emails.”
We’ve reached out to OpenSea for comment.
Attacker calls their own contract with calldata including the valid order AND address + transfer calldata for all the NFTs the target has approved on the wyvern (opensea) contract.
— Neso (@Nesotual) February 20, 2022
As noted by The Verge, the attack likely took advantage of an aspect of the Wyvern Protocol. Many Web3 platforms, including OpenSea, use the open-source standard to underpin their contracts. One Twitter thread suggests those targeted in the phishing campaign may have signed a partial agreement that allowed the attacker to transfer the NFTs without any Ethereum changing hands. Linking to the thread, Finzer said it presented a scenario that was “consistent with our current internal understanding” of the situation.
While there’s still much about the attack we don’t know, what is clear is that it couldn’t have come at a worse time for OpenSea. On Friday, the company introduced a new smart contract and asked people to migrate their assets. It has also been the subject of recent controversy, first starting with an employee who resigned for using insider information to profit on NFT drops and then more recently over the prevalence of tokens that are fake, plagiarized or spam on its platform.