$1.7 Million OpenSea Hack Explained
Saturday’s phishing attack stirred up the crypto audience: 32 users of OpenSea — one of the leading NFTs marketplaces — had their NFTs stolen, which turned out for a hacker to be $1.7 million revenue.
Over the weekend, OpenSea co-founder and CEO Devin Finzer reported that a hacker tricked 32 victims into signing a “malicious order” that allowed their NFTs to be transferred to the attacker for free.
The fact is that the attack occurred just as the platform was transitioning to the new Wyvern smart contract system. Therefore, it is likely that this could have been a vulnerability for users who were victims of the attack. At this point, however, the company says the attack appears to have come from outside OpenSea.
So what happened? OneArt figured out the inner side of the issue and prepared its technical run-down for you to not fall for.
Attack run-down: points to be aware of
The phishing in detail:
- A hacker created phishing mailing by clicking on which users signed malicious transactions;
- Under the guise of the OpenSea marketplace, he asked to sign the transactions;
- Inside the transaction, there was an approval for the transfer of token ownership.
Brief tech description
- The attacker made users sign a half-empty valid wyvern order (only target and calldata were filled in).
- The hacker then calls his contract with calldata and transfers calldata for all NFTs (target approved on the wyvern contract).
- The NFT address and transfer calldata are stored.
- The signed order is sent to the wyvern contract atomicMatch, which checks the validity of the order and the authenticity of the signatures on both the creator and the receiving side.
- As a result, having passed the verification process, the tokens ended up in the hacker’s legal (it would seem) possession.
The full in-depth description of the attack
- The signatures were valid
All malicious orders contain valid signatures from victim users. However, none of these orders were submitted to OpenSea at signing.
- Wyvern contract is supposed to be safer
The platform tells you that when you sign any “data-full message”, you are given a typed data payload referencing Wyvern, which can alert you that something unusual is happening.
- OpenSea is actively helping affected users
Even though the attack appears to have been carried out from outside OpenSea, the platform’s creators are trying to help the victims.
- Double-check what you’ve signed
Security cannot be guaranteed one hundred percent. In the crypto industry, it’s widespread to lose assets due to signing fake transactions/messages.
But there is a way out:
OneArt safety tip — check what you sign and the source of emails that come to your inbox. In case of suspicion — contact the service/platform you are using to protect your data timely.
Besides, try to follow the tips by Treasure Seeker: