Hackers stole $1.7Million in NFTs from Opensea using Phishing Attacks.

All in a simpler form, the OpenSea victims signed a partial contract for the NFT deal, granting the attacker broad authority but leaving much of it blank — akin to signing a blank check. As a result, the hackers could transfer ownership of the NFTs without having to pay anything.

Major Central NFT marketplace OpenSea has announced that an estimated $1.7 Million of ETH was stolen in a weekend attack.

“This appears to be a phishing attempt, as far as we can determine. It does not seem to be linked to the OpenSea website. So far, it seems that 32 users have signed a malicious payload sent by an attacker, and some of their NFTs have been taken” in a series of tweets, OpenSea CEO Devin Finzer stated.

In subsequent tweets, Finzer denied claims that the NFT haul was worth up to $200 million and indicated that the number of victims had been reduced to 17 people.
“The attacker has $1.7 million in ETH in his wallet from the sale of part of the stolen NFTs,” he explained.

The Dive
The thieves fooled OpenSea users into part-signing smart contracts to authorize the trades in the invasion, which took place on Saturday between 5 and 8 p.m. ET. It happened on Gmail utilizing an electronic trick called DEEP FAKE emails.

It is basically an email, but the attacker utilizes HTML and mask to make it look like authorized mail. By using this trick, they can disguise themselves as any companies representative and can use any email address they want.
They sent contract emails to victims then they finished the contract procedure by migrating the NFTs, or non-fungible tokens, to their own address.
According to OpenSea, the hackers utilized “phishing,” in which an official communication is disguised to look like the actual thing, to trick NFT owners into signing.

Comparision
The loss is minor compared to other high-profile thefts, such as Solana’s $322 million wormhole bridge attack, which also exploited a smart contract weakness. However, it is an indication that such crime is growing more widespread, as revealed by a recent Chainalysis analysis, which found hackers nabbed $14 billion in cryptocurrency in 2021, an increase of 80 percent.
Persistent security flaws, several analysts have cautioned, might constitute a barrier to widespread crypto adoption because a hindrance is being passed on to the customer.

Wyvern Protocol
According to Hart Lambur, cofounder of the UMA protocol, the risk of smart contract-based assaults in decentralized banking is relatively high, particularly in newborn networks like Solana.
“Unfortunately, smart contract issues are a common concern with DeFi,” Lambur recently told Insider.
The OpenSea attack took use of the Wyvern Protocol, which supports most NFT smart contract procedures. Because the protocol is open source, the script is standard and freely available to the public.
According to a FAQ on the Wyvern Protocol website, there are three ways to authorize an order.

“Orders must always be allowed by the maker address, which is the owner of the proxy contract that will perform the call. Authorization can take three forms: signed message, pre-approval, and match-time approval.”

After reviewing the malicious orders, Hollander shared technical run down in floods of tweets. First, he shared that all of the malicious orders were genuine, meaning NFT holders did sign an order somewhere at some point, though none of those orders were transmitted to OpenSea.

https://twitter.com/NadavAHollander/status/1495509511179755530

All in a simpler form, the OpenSea victims signed a partial contract for the NFT deal, granting the attacker broad authority but leaving much of it blank — akin to signing a blank check. As a result, the hackers could transfer ownership of the NFTs without having to pay anything.

Who’s to blame?
As the name suggests, Bad Actors will always search for loopholes to exploit and gain access and money. When the NFT market bloomed, it was a gold mine for them. So yeah, it’s our and platforms’ responsibility to stay safe and secure.

From Opensea’s point of view, there has been a growing emphasis on not sharing seed words or submitting unknown transactions in their industry. On the other hand, signing off-chain communications takes the same level of thought.
But the Opensea users think that Opensea should make the migrating process much smoother as they get errors most of the time.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Discover

MetaVerse Zeus

spot_imgspot_img

Latest

SBF wants Access to his $450M Robinhood Shares

It's been a wild ride for FTX and SBF as of late, with new developments popping up left and right. At the heart of...

A new milestone in AR technology: Functional Augmented Reality contact lenses

Augmented Reality contact lenses reached a new milestone last week. This shows how far the field has come in the previous few decades. Thirty years...

Twitter under Elon Musk? What is his real plan for Twitter?

A nifty app called X? A haven for free speech without bots? Now that Elon Musk might buy Twitter, after all, these are some...

Official Marvel’s NFT partner VeVe shuts down its marketplace after being hacked.

Gems are the VeVe in-app currency that users can use to trade for collectibles in the Market or during drops, and hackers use the...

Seedify Announces Metaverse Launch dubbed Resourced Lands.

Seedify has said that Resourced lands are now open for business. Seedify Meta Studios says that the Metaverse will have several new ideas that...