All in a simpler form, the OpenSea victims signed a partial contract for the NFT deal, granting the attacker broad authority but leaving much of it blank — akin to signing a blank check. As a result, the hackers could transfer ownership of the NFTs without having to pay anything.
Major Central NFT marketplace OpenSea has announced that an estimated $1.7 Million of ETH was stolen in a weekend attack.
“This appears to be a phishing attempt, as far as we can determine. It does not seem to be linked to the OpenSea website. So far, it seems that 32 users have signed a malicious payload sent by an attacker, and some of their NFTs have been taken” in a series of tweets, OpenSea CEO Devin Finzer stated.
In subsequent tweets, Finzer denied claims that the NFT haul was worth up to $200 million and indicated that the number of victims had been reduced to 17 people.
“The attacker has $1.7 million in ETH in his wallet from the sale of part of the stolen NFTs,” he explained.
It is basically an email, but the attacker utilizes HTML and mask to make it look like authorized mail. By using this trick, they can disguise themselves as any companies representative and can use any email address they want.
They sent contract emails to victims then they finished the contract procedure by migrating the NFTs, or non-fungible tokens, to their own address.
According to OpenSea, the hackers utilized “phishing,” in which an official communication is disguised to look like the actual thing, to trick NFT owners into signing.
Comparision
The loss is minor compared to other high-profile thefts, such as Solana’s $322 million wormhole bridge attack, which also exploited a smart contract weakness. However, it is an indication that such crime is growing more widespread, as revealed by a recent Chainalysis analysis, which found hackers nabbed $14 billion in cryptocurrency in 2021, an increase of 80 percent.
Persistent security flaws, several analysts have cautioned, might constitute a barrier to widespread crypto adoption because a hindrance is being passed on to the customer.
Wyvern Protocol
According to Hart Lambur, cofounder of the UMA protocol, the risk of smart contract-based assaults in decentralized banking is relatively high, particularly in newborn networks like Solana.
“Unfortunately, smart contract issues are a common concern with DeFi,” Lambur recently told Insider.
The OpenSea attack took use of the Wyvern Protocol, which supports most NFT smart contract procedures. Because the protocol is open source, the script is standard and freely available to the public.
According to a FAQ on the Wyvern Protocol website, there are three ways to authorize an order.
“Orders must always be allowed by the maker address, which is the owner of the proxy contract that will perform the call. Authorization can take three forms: signed message, pre-approval, and match-time approval.”
After reviewing the malicious orders, Hollander shared technical run down in floods of tweets. First, he shared that all of the malicious orders were genuine, meaning NFT holders did sign an order somewhere at some point, though none of those orders were transmitted to OpenSea.
All in a simpler form, the OpenSea victims signed a partial contract for the NFT deal, granting the attacker broad authority but leaving much of it blank — akin to signing a blank check. As a result, the hackers could transfer ownership of the NFTs without having to pay anything.
Who’s to blame?
As the name suggests, Bad Actors will always search for loopholes to exploit and gain access and money. When the NFT market bloomed, it was a gold mine for them. So yeah, it’s our and platforms’ responsibility to stay safe and secure.
From Opensea’s point of view, there has been a growing emphasis on not sharing seed words or submitting unknown transactions in their industry. On the other hand, signing off-chain communications takes the same level of thought.
But the Opensea users think that Opensea should make the migrating process much smoother as they get errors most of the time.