Hackers stole $1.7Million in NFTs from Opensea using Phishing Attacks.

All in a simpler form, the OpenSea victims signed a partial contract for the NFT deal, granting the attacker broad authority but leaving much of it blank — akin to signing a blank check. As a result, the hackers could transfer ownership of the NFTs without having to pay anything.

Major Central NFT marketplace OpenSea has announced that an estimated $1.7 Million of ETH was stolen in a weekend attack.

“This appears to be a phishing attempt, as far as we can determine. It does not seem to be linked to the OpenSea website. So far, it seems that 32 users have signed a malicious payload sent by an attacker, and some of their NFTs have been taken” in a series of tweets, OpenSea CEO Devin Finzer stated.

In subsequent tweets, Finzer denied claims that the NFT haul was worth up to $200 million and indicated that the number of victims had been reduced to 17 people.
“The attacker has $1.7 million in ETH in his wallet from the sale of part of the stolen NFTs,” he explained.

The Dive
The thieves fooled OpenSea users into part-signing smart contracts to authorize the trades in the invasion, which took place on Saturday between 5 and 8 p.m. ET. It happened on Gmail utilizing an electronic trick called DEEP FAKE emails.

It is basically an email, but the attacker utilizes HTML and mask to make it look like authorized mail. By using this trick, they can disguise themselves as any companies representative and can use any email address they want.
They sent contract emails to victims then they finished the contract procedure by migrating the NFTs, or non-fungible tokens, to their own address.
According to OpenSea, the hackers utilized “phishing,” in which an official communication is disguised to look like the actual thing, to trick NFT owners into signing.

Comparision
The loss is minor compared to other high-profile thefts, such as Solana’s $322 million wormhole bridge attack, which also exploited a smart contract weakness. However, it is an indication that such crime is growing more widespread, as revealed by a recent Chainalysis analysis, which found hackers nabbed $14 billion in cryptocurrency in 2021, an increase of 80 percent.
Persistent security flaws, several analysts have cautioned, might constitute a barrier to widespread crypto adoption because a hindrance is being passed on to the customer.

Wyvern Protocol
According to Hart Lambur, cofounder of the UMA protocol, the risk of smart contract-based assaults in decentralized banking is relatively high, particularly in newborn networks like Solana.
“Unfortunately, smart contract issues are a common concern with DeFi,” Lambur recently told Insider.
The OpenSea attack took use of the Wyvern Protocol, which supports most NFT smart contract procedures. Because the protocol is open source, the script is standard and freely available to the public.
According to a FAQ on the Wyvern Protocol website, there are three ways to authorize an order.

“Orders must always be allowed by the maker address, which is the owner of the proxy contract that will perform the call. Authorization can take three forms: signed message, pre-approval, and match-time approval.”

After reviewing the malicious orders, Hollander shared technical run down in floods of tweets. First, he shared that all of the malicious orders were genuine, meaning NFT holders did sign an order somewhere at some point, though none of those orders were transmitted to OpenSea.

https://twitter.com/NadavAHollander/status/1495509511179755530

All in a simpler form, the OpenSea victims signed a partial contract for the NFT deal, granting the attacker broad authority but leaving much of it blank — akin to signing a blank check. As a result, the hackers could transfer ownership of the NFTs without having to pay anything.

Who’s to blame?
As the name suggests, Bad Actors will always search for loopholes to exploit and gain access and money. When the NFT market bloomed, it was a gold mine for them. So yeah, it’s our and platforms’ responsibility to stay safe and secure.

From Opensea’s point of view, there has been a growing emphasis on not sharing seed words or submitting unknown transactions in their industry. On the other hand, signing off-chain communications takes the same level of thought.
But the Opensea users think that Opensea should make the migrating process much smoother as they get errors most of the time.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Discover

MetaVerse Zeus

spot_imgspot_img

Latest

Elon Musk suggests that Twitter will add cryptocurrency payments if his takeover bid is successful.

The CEO of Tesla and SpaceX, Elon Musk, has suggested that Twitter accept crypto payments. In his first meeting with everyone at Twitter, he...

What happens to your cryptocurrencies and NFTs if you die? If you don’t plan, you’ll never get it back.

Although death isn't a pleasant subject to discuss, it's not possible to plan for every scenario ahead of time, particularly inheritance planning, also known...

Anonymous targets the Bored Ape Yacht Club.

YouTube user "Anonymous" posted a video in which they make various accusations against the Bored Ape Yacht Club (BAYC) NFT collection. The video's main...

CAN THE NFT MARKET DROP EVEN LOWER?

The market circumstances for non-fungible tokens (NFTs) in Summer 2022 have not been perfect. As NFT owners scurry back into dollars, several significant projects...

4 NFT Scams that beginners should know about

At the beginning of 2022, Rolling Stone said, "NFT scams are everywhere." The best thing to do is "assume everyone is a scammer until...