Pirates Go Phishing On The OpenSea Marketplace, Raid Over $1.7M From Users
In what is turning into a continuing theme for 2022, attackers have stolen hundreds of NFTs from 32 OpenSea accounts valued at over $1.7 million by taking advantage of a weakness in the smart contract network that supports OpenSea.
By Andrew Senior
February 21st, 2022
Devin Finzer, CEO of OpenSea, pointed to a phishing attack as the culprit and provided a link to a Twitter thread containing additional details. The attack, which occurred during the morning of Sunday February 21, was achieved by convincing the 32 targeted accounts to sign a partial Wyvern order, the open-source standard that supports most NFT contracts, that was in reality an empty shell granting general authorization allowing the scammers to complete orders with a call to their own, transferring ownership of the NFTs without any payment.
“For more technical context, this thread [below] is consistent with our current internal understanding. — Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022″
While initial explanations for the theft pointed to technical issues, human behaviour in the form of phishing now seems to be the cause. The OpenSea user Neso, who was the first to call attention to the smart contract exploit, posted that,
“I checked every [transaction], they all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”
A litany of questions remain in the wake of the latest scam, from how the attack started, how the OpenSea users were convinced by the scammers to sign an empty contract granting account access to a third party, to what safeguards will be put in place to protect from future attacks. Finzer is insisting to users that the attacks originated from outside the company’s website, but the scale, efficiency, and overall speed of the attack suggest there is more at play.