Hackers Steal High-Value NFTs From OpenSea Users; Marketplace Investigating Multi-Million Dollar Exploit
KEY POINTS
- OpenSea users were in a tizzy Saturday night
- NFT holders on the platform reported their assets were stolen
- OpenSea is currently investigating the incident
OpenSea, the world's largest online marketplace for non-fungible tokens (NFTs), could be a victim of a hack executed by a hacker or a group of hackers, whose goal is to steal and flip the high-valued tokens in the platform.
Multiple owners of high-value NFTs on OpenSea claimed that their assets were pulled out from under them by an unknown attacker Saturday night. This caused confusion and chaos in the broader NFT community, triggering a discussion about the hack on Twitter Space, which had over 3,800 listeners on the same night.
Users initially speculated that it could be due to the new OpenSea contract getting hacked or users getting hit by a phishing attack. The mechanism the malicious actor or actors used for the attack is currently unknown at the time of writing but the NFT marketplace already put up a red banner on its site.
"We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of http://opensea.io," read the platform's Twitter account Saturday night.
A few hours later, OpenSea co-founder Devin Finzer provided an update on the situation and added that the incident stemmed from a phishing attack. "As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen," he tweeted.
"The attack doesn’t appear to be active at this point — we haven’t seen any malicious activity from the attacker’s account in 2 hours. Some of the NFTs have been returned," Finzer said in a follow-up tweet. "We are not aware of any recent phishing emails that have been sent to users, but at this time we do not know which website was tricking users into maliciously signing messages," the co-founder further said.
So, what really happened and what caused this latest attack on the platform? Finzer suggested users look into thread by Twitter user who goes by the handle Nesotual as the explanations in the posts were "consistent with our current internal understanding."
What Nesotual posted is a little technical, but here it goes: "Attacker had people sign half of a valid wyvern order, the order was basically empty except the target (attacker contract) and calldata, attacker signs other half of order." Then, "Attacker calls their own contract with calldata including the valid order AND address + transfer calldata for all the NFTs the target has approved on the wyvern (opensea) contract," they added."
The Twitter user also said that "The nft address + transfer calldata is saved then the signed order is sent to the wyvern contract atomicmatch, it checks the orders is valid (it is) and signatures are correct for the maker and taker (they are)." Since, "wyvern is past order validation, it calls the proxy contract your OS approvals are on, then that delegatecalls the target contract (attacker) with the calldata in the order (the target and calldata in most orders is the NFT you're buying/selling and the transferFrom call)," they explained on Twitter.
"In this case it goes back to a different function in the attacker contract that then loops the previously saved transfer calldata + token addresses in the context of the proxy contract that has the user approvals," the Twitter user further said. They also explained that "The wyvern contracts are extremely flexible, opensea validates orders on their frontend/api to ensure what you're signing will function as expected, but the same contracts can still be used by others with more complex orders like this that if you sign can take everything approved."
OpenSea is currently asking users who list NTs on the platform to upgrade to a new smart contract. This way, issues of inactive listings allowing scammers to steal valuable NFTs from collectors will be fixed.
OpenSea is one of the largest platforms for NFT trading today. It counts actor Ashton Kutcher and the venture capital firm Andreessen Horowitz as backers.
OpenSea has not yet responded to International Business Times' request for comment. This article will be updated we learn more details.
Last month Opensea raised $300 billion in a funding round, which valued it at $13.3 billion.
© Copyright IBTimes 2024. All rights reserved.