OpenSea's large user base was shaken by the theft of hundreds of NFTs by attackers on Saturday. The spreadsheet that was compiled by PeckShield, a blockchain security service, showed 254 tokens were stolen during the attack. This includes tokens from Decentraland Yacht Club and Bored Ape Yacht club.
The attacks targeted 32 people in total, with the majority taking place between 5 PM ET and 8 PM ET. Molly White, the blogger Web3 is Going Great estimated that the stolen tokens were worth more than $1.7 million.
It appears that the attack exploited a flexibility of the Wyvern Protocol. This open-source standard is the basis for most NFT smart contracts. One explanation, linked by Devin Finzer on Twitter, described the attack in two parts. First, the targets signed a partial agreement, which included a general authorization but large sections that were left unfilled. Once the signature was in place, attackers called to their contract and transferred ownership of NFTs without any payment. The attack targets had signed a blank cheque. Once that was done, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment.
"I checked every transaction," stated the user who goes under Neso. "They all have valid signatures of the people who lost NFTs. Anyone claiming that they weren't phished is wrong but they lost NFTs are sadly mistaken."
OpenSea, valued at $13Billion in a recent funding round has made it the most valuable company of the NFT boom. It provides a simple interface that allows users to browse and bid on tokens, without having to interact directly with the blockchain. This success has been accompanied by significant security problems. The company has faced attacks using poisoned or old tokens to steal valuable user holdings.
OpenSea was updating its contract system at the time of the attack, but OpenSea denies that the attack originated from the new contracts. This vulnerability is unlikely because there are so few targets. Any flaws in the wider platform could be exploited on an even greater scale.
Many details about the attack are still unclear, including the methods used by the attackers to convince targets to sign the half-empty contracts. Devin Finzer, OpenSea CEO, stated that the attacks were not from OpenSea’s website, the various listing systems or any email from the company. It is possible that there may be a common vector to the attack as hundreds of transactions were done in just hours. However, no link has been found.
Finzer tweeted that "We'll keep you updated as we learn more regarding the exact nature of this phishing attack." "If you have any specific information that might be of use, please DM @opensea_support."