OpenSea Users Lose $1.7 Million in Phishing Attack. Here’s What We Know
NFT marketplace giant has recently confirmed a phishing attack that has left its users reeling in panic.
The incident is still fresh so we get updated as we go, but so far, there were reportedly 32 users who fell victim to the hack. There isn’t an exact number on how many NFTs had been stolen, but considering the amount involved, it must have been in the hundreds. In total, it’s estimated that victims had lost over $1.7 million.
On average, an NFT on OpenSea can range from 0.5 to 4.5 ETH. These can include new tokens or ongoing auctioned NFTs. Normally, an NFT doesn’t exceed 3, 4 ETH unless it’s a part of a larger, much more popular collection.
According to PeckShield, the stolen tokens were among some of the high-end collections, including the Bored Ape Yacht Club.
How Did It Happen?
Here is where things get a bit murky. A majority of the NFT community is suspecting an exploit on the Wyvern smart contract. They speculate the attackers must have taken advantage of a vulnerability in the protocol.
While OpenSea isn’t openly admitting there are any exploitable aspects in its smart contract, the NFT platform assures users a full-scale investigation is going on.
Developers and users have been weighing in on how the attack happened, making varying technical assumptions about the Wyvern protocol. It would be difficult to understand for those who aren’t well-versed in the NFT major, let alone coding.
We’ve fortunately been able to break it down into non-technical pieces as to what really transpired.
When you want to sell an NFT or any asset on a decentralized blockchain, for that matter, you need a smart contract to arbitrate the deal. This is a protocol generated by the platform and needs to be signed by both parties for the sale to happen.
While you don’t need any coding experience to safely execute a smart contract, there are numerical details you need to pay attention to before signing.
Every contract, be it ERC-20, 721, or whatever else, has an input and output. For example, if your NFT costs 0.5 ETH and someone agrees to buy, that amount needs to be on the contract since it’s going from their wallet to yours.
After both parties have acquired their part of the contract, they can go ahead and retrieve and calldata to claim whatever was on it.
What the OpenSea attacker (supposedly) did was have their victims sign only their part of the smart contract, giving up the NFTs, without any crypto in return.
When the deal was finalized, the attacker retrieved the calldata, which had the victim’s authorization to the NFTs, and disappeared into the sunset. Think of it as selling your car for zero dollars. Would you ever sell anything for zero dollars? Of course not, but according to this contract, you did.
OpenSea uses the Wyvern protocol, which has become a standard for NFT smart contracts. It’s decentralized and open-source, meaning each contract can have its own custom mechanics. It also has the Matched function that helps in NFT auctions and setting fixed prices.
What’s unsettling about all of this is how someone could overlook such an egregious lack of detail on their smart contracts, especially when there’s a lot of money involved. Hacks aren’t uncommon in this business, but smart contract exploits aren’t easy to do unless you sign a blank one.
This doesn’t look too good for OpenSea as the platform has recently announced a new smart contract and urged users to migrate their listings to it. Their Twitter post is brand new but it’s already aging like last week’s milk.
What NFT Artists Can Take Away From All This
Protect your assets. Do whatever it takes to secure your tokens. OpenSea, as big as it is, has faced much criticism and drama for rampant scams and plagiarism involving NFTs. Nobody is immune to theft so it’s advisable to practice caution, especially if you have a sizable collection.
Smaller artists should consider the same level of alert. Just because you only have a couple of tokens, doesn’t mean you can’t be a target. Crypto Punks started with a single image and it wasn’t even for sale.
As for the Wyvern contract, we don’t believe it’s as alarming as it seems. This was a single incident among thousands of successful transactions. If it were that easy to exploit, OpenSea wouldn’t be so open by now. Right now, it’s an ongoing investigation, so until we know more, your biggest concern is to secure your tokens and double-check your contracts.