Powered by

Get Hosting
.7 million in NFTs stolen on a phishing attack on OpenSea users

$1.7 million in NFTs stolen on a phishing attack on OpenSea users

254 tokens were stolen over roughly three hours. On Saturday, attackers stole hundreds of NFT manatees from Open C users, which caused a late-night panic among the broad userbase of the OpenSea site. Security Service PeckShield counted 254 tokens that were stolen throughout the attack, including tokens from Decentraland and Bored Ape Yacht Club. The bulk of the attacks for these nests took place between 5:00 PM and 8:00 PM Eastern Time, targeting 32 users in total. The estimated value of the stolen tokens was more than $1.7 million, according to Molly White, who runs the blog “web3 is going great”.

“THEY ALL HAVE VALID SIGNATURES”

The attack exploited flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. CEO Devin Finzer explained on Twitter that this attack was carried out in two parts:

Targets signed a partial contract, granting general authorization, and large portions were left blank. After the signature was taken, attackers completed the contract with the call to their contract, transferring the ownership of the NFTS without even paying. So what happened was the targets in this attack had just signed a blank check, and once it was signed the attackers filled in the rest of the details in the check and they took their holdings.

According to a user who goes by Neso said that they tracked every transaction and they all have valid signatures from the people who have lost NFTs. So someone claiming that they did not get phished but lost NFTs is wrong. OpenSea has become one of the most valuable companies after the NFT boom, and the hype that has been going around. They provide a very simple interface for users to list, browse and bid on tokens without even interacting directly with the blockchain (Making it very easy for a newbie to get in and do whatever) But the success of this company has come with many significant security issues as they have struggled with the big attacks that did leverage all contracts or poison tokens to steal valuable holdings.

A lot of the details of this attack remained unclear as partially the method attackers used to get the targets to sign the half-empty contract and after reading on Twitter shortly before 3:00 AM Eastern Time, Open CSO Devin Finzer said that these attacks had not originated from the OpenSea end. The rapid pace of this attack, along with hundreds of transactions in a matter of hours Does suggest some common vector of attack, but no link has been discovered yet.

.7 million in NFTs stolen on a phishing attack on OpenSea users

$1.7 million in NFTs stolen on a phishing attack on OpenSea users

254 tokens were stolen over roughly three hours. On Saturday, attackers stole hundreds of NFT manatees from Open C users, which caused a late-night panic among the broad userbase of the OpenSea site. Security Service PeckShield counted 254 tokens that were stolen throughout the attack, including tokens from Decentraland and Bored Ape Yacht Club. The bulk of the attacks for these nests took place between 5:00 PM and 8:00 PM Eastern Time, targeting 32 users in total. The estimated value of the stolen tokens was more than $1.7 million, according to Molly White, who runs the blog “web3 is going great”.

“THEY ALL HAVE VALID SIGNATURES”

The attack exploited flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. CEO Devin Finzer explained on Twitter that this attack was carried out in two parts:

Targets signed a partial contract, granting general authorization, and large portions were left blank. After the signature was taken, attackers completed the contract with the call to their contract, transferring the ownership of the NFTS without even paying. So what happened was the targets in this attack had just signed a blank check, and once it was signed the attackers filled in the rest of the details in the check and they took their holdings.

According to a user who goes by Neso said that they tracked every transaction and they all have valid signatures from the people who have lost NFTs. So someone claiming that they did not get phished but lost NFTs is wrong. OpenSea has become one of the most valuable companies after the NFT boom, and the hype that has been going around. They provide a very simple interface for users to list, browse and bid on tokens without even interacting directly with the blockchain (Making it very easy for a newbie to get in and do whatever) But the success of this company has come with many significant security issues as they have struggled with the big attacks that did leverage all contracts or poison tokens to steal valuable holdings.

A lot of the details of this attack remained unclear as partially the method attackers used to get the targets to sign the half-empty contract and after reading on Twitter shortly before 3:00 AM Eastern Time, Open CSO Devin Finzer said that these attacks had not originated from the OpenSea end. The rapid pace of this attack, along with hundreds of transactions in a matter of hours Does suggest some common vector of attack, but no link has been discovered yet.