Attackers phish $1.7 million in NFTs

OpenSea is one of many marketplaces that have sprung up to support the growing trade in NFTs

Image:
OpenSea is one of many marketplaces that have sprung up to support the growing trade in NFTs

Although users were quick to blame NFT marketplace OpenSea, the attacks have been tracked to a weakness in the smart contracts system underpinning tokens

Attackers have stolen more than hundreds of NFTs, estimated to be worth more than $1.7 million according to Web3 critic Molly White, from users of NFT marketplace OpenSea.

The attack took place early on Sunday morning GMT and targeted 32 users in all through a phishing scam that apparently leveraged a vulnerability in the Wyvern Protocol: the open-source standard that supports most NFT contracts.

https://twitter.com/dfinzer/status/1495245313304530952?ref\\_src=twsrc%5Etfw

Devin Finzer, CEO of OpenSea, confirmed that the company believed it to be a phishing attack and linked to a Twitter thread with more details. According to that explanation, the attacker(s) convinced targets to sign a partial Wyvern order (aka contract) that was 'basically empty' aside from a general authorisation. They could then complete the order with a call to their own, which transferred ownership of the NFTs without payment.

Although early explanations for the theft pointed to technical issues, it now appears that human behaviour, i.e. phishing, is the most likely cause. As user Neso, who uncovered the smart contract exploit, explained: "I checked every [transaction], they all have valid signatures from the people who lost NFTs so anyone claiming they didn't get phished but lost NFTs is sadly wrong."

There are still questions around how the attack began and how the attackers convinced OpenSea users to sign the 21st century equivalent of a blank cheque. Finzer insists the attacks didn't originate from his company's website, listing systems or emails, but the scale and speed suggest there must be a common vector. Several users and security researchers have suggested that the attackers took advantage of a contract migration OpenSea is pushing through to scam users, by using a template email from OpenSea and resending it to the victims.

The story doesn't stop there - in fact, it gets weirder. Hours later, the attacker returned some of the NFTs to their original owners, and one victim received 50 Ethereum (worth about $134,000) in addition. They later transferred 1,115 ETH (worth nearly $3 million) to a cryptocurrency tumbler.

To hear more about how we can tackle security challenges, join us at CyberSecurity Festival this June. Register here.