$1.7M in NFTs stolen in apparent phishing attack on OpenSea users

On Saturday, attackers stole hundreds of NFTs from OpenSea users, sparking an overnight panic among the site’s wide user base. A spreadsheet compiled by blockchain security service PeckShield counted 254 tokens stolen during the attack, including tokens from Decentraland and Bored Ape Yacht Club.

The bulk of the attacks took place between 5 and 8 p.m. ET, targeting a total of 32 users. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.

The attack appears to have taken advantage of a flexibility in the Wyvern protocol, the open source standard underlying most smart NFT contracts, including those on OpenSea. An explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large parts left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. Essentially, the targets of the attack had signed a blank check – and once it was signed, attackers filled in the rest of the check to take their possession.

“I checked every transaction,” said the user, which passes by Neso. “They all have valid signatures from the people who lost NFTs, so anyone who claims they weren’t phishing, but lost those NFTs is sadly wrong.”

Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing users with a simple interface to list, browse, and bid on tokens without interacting directly with the blockchain. That success came with significant security vulnerabilities, as the company struggled with attacks that used old contracts or poisoned tokens to steal users’ valuable assets.

OpenSea was updating its contract system when the attack occurred, but OpenSea has denied that the attack originated with the new contracts. The relatively small number of targets makes such a vulnerability unlikely, as any flaw in the wider platform would likely be exploited on a much larger scale.

Still, many details of the attack remain unclear, most notably the method attackers used to get targets to sign the half-empty contract. Shortly before 3AM ET, OpenSea CEO Devin Finzer wrote on Twitter that the attacks were not from OpenSea’s websiteare different list systemsor all company emails† The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests a common attack vector, but no link has been discovered so far.

“We’ll keep you posted as we learn more about the exact nature of the phishing attack,” Finzer said on Twitter. “If you have specific information that might be helpful, please DM @opensea_support

Emma Roth also contributed reporting.

Frank Broholm had acquired considerable experience in writing and editing publications before recruited by The Media Today Chronicle News portal as Editorial Manager. His key task is to conduct effective business reviews based on the most recent business…