Hundreds of non-fungible tokens (NFTs) were stolen from OpenSea users on Saturday, 19 February, sparking rumours that the world's largest NFT marketplace was hacked and $200 million was lost in value.
Devin Finzer, co-founder and CEO of OpenSea, clarified on Twitter that it was apparently a phishing scam directed at 32 individual users, and not connected to the NFT marketplace itself.
This list was narrowed down to just 17 users.
He also said that rumours of a $200 million hack are false and that the attacker has $1.7 million of Ether in his wallet from selling some of the stolen NFTs.
A spreadsheet put together by blockchain security and data analytics company PeckShield lists 254 tokens stolen over the course of three hours, including tokens from popular collections like Bored Ape Yacht Club, Cool Cats and Azuki.
How It Was Done
Phishing is a type of cyberattack where an attacker sends a fraudulent message designed to trick people into revealing sensitive information that they can exploit to deploy malware or steal things.
This phishing attack apparently exploited a flexibility in the Wyvern Protocol, an open-source and decentralised protocol used by several marketplaces.
OpenSea began transitioning to a new version of the Wyvern smart contract system on Friday, one day before the attack. The process will be completed by 25 February.
Finzer pointed towards Neso, a user on Twitter who offered a possible explanation about how the attack was executed. Targets essentially signed a blank contract with large portions left empty, after which the attackers managed to fill in the details, thus transferring the ownership of the NFTs without payment.
"All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time," wrote Nadav Hollander, chief technology officer, in his technical rundown.
"However, none of these orders were broadcasted to OpenSea at the time of signing," he added.
It isn't yet known how the attackers managed to get people to sign the contracts.
According to some users on Twitter, this was done with the help of a phishing email which seemed like it was sent by OpenSea. Clicking on the link would apparently take users to a malicious site through with attackers could initiate NFT transactions.
This hasn't been confirmed by OpenSea, which says that it is conducting an investigation into the matter.
OpenSea Clears Its Name
"This attack did not originate on http://opensea.io," Finzer tweeted hours after he announced that OpenSea was running an all hands on deck investigation.
According to him the attack wasn't triggered by interacting with an OpenSea email or by minting, buying, selling, or listing items on the website. He added he wasn't aware of any of the affected users receiving or clicking links in suspicious emails.
Clicking on the site’s banner, signing the new Wyvern smart contract, and using OpenSea’s migration tool to move listings to the new contract system were also determined to be safe.
OpenSea, valued at around $13 billion has also been struggling with a plagiarism problem. It offers 'lazy minting' which uses a portion of the selling price as gas, effectively allowing users to mint for free.
With this, it's very easy to copy someone's work, mint an NFT, and reap the often considerable monetary benefits. It tried to put a 50-item limit on this free-minting tool because it was being abused, but later relented.