$1.7 million in NFTs stolen in apparent phishing attack on OpenSea users

[ad_1]

On Saturday, attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base. A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club.

The bulk of the attacks took place between 5PM and 8PM ET, targeting 32 users in total. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.

The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.

“I checked every transaction,” said the user, who goes by Neso. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”

Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain. That success has come with significant security issues, as the company has struggled with attacks that leveraged old contracts or poisoned tokens to steal users’ valuable holdings.

OpenSea was in the process of updating its contract system when the attack took place, but OpenSea has denied that the attack originated with the new contracts. The relatively small number of targets makes such a vulnerability unlikely, since any flaw in the broader platform would likely be exploited on a far greater scale.

Still, many details of the attack remain unclear — particularly the method attackers used to get targets to sign the half-empty contract. Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered.

“We’ll keep you updated as we learn more about the exact nature of the phishing attack,” said Finzer on Twitter. “If you have specific information that could be useful, please DM @opensea_support.”

Emma Roth also contributed reporting.



[ad_2]

Source link

Related articles

Xbox Series X consoles are available for Best Buy’s Totaltech members

The Xbox Series X is sometimes a little easier to buy than Sony’s PlayStation 5, but that doesn’t mean it’s a simple endeavor. The good news is that Best Buy has...

Our Flag Means Death creator David Jenkins fancies a fine narrative fabric

For many people, Our Flag Means Death was an unexpected history lesson about the adventures of Stede Bonnet, the real 18th-century pirate who loved the high seas almost as much as...

How to change your default browser in Windows 11

If you’ve updated your PC from Windows 10 to Windows 11, you may have noticed that when you click on a link for a website, a PDF document, or a variety...

Fortnite’s Zero Build mode is bringing people back to the game

Fortnite’s latest season kicked off a big shakeup: developer Epic Games removed building, perhaps the game’s most iconic feature, from the core battle royale modes. It was a risky move that...

What Elon Musk’s Twitter ‘free speech’ promises miss

Thursday morning, Elon Musk offered to buy Twitter to save free speech. “I invested in Twitter as I believe in its potential to be the platform for free speech around the...

Latest articles