OpenSea, one of the most popular and well-known NFT trading platforms, suffered a hacker attack, possibly a phishing campaign, which compromised 32 accounts and caused the theft of 254 tokens in total. There were several collections and works that currently have a very high value, including the Bored Ape Yacht Club and the Azuki; according to estimates, the total value of the steal amounts to 641 ETH, which at the moment is equivalent to approximately $1.7 million.
The incident took place last Saturday, February 19. OpenSea immediately began the investigation and said it believed the attack was not caused by a problem directly related to the site’s code. However, according to several experts, the matter would be slightly more complicated than that: hackers would have in fact improperly exploited a feature of the Wyvern Protocol, an open-source standard used by many platforms that have to do with the Ethereum blockchain used for contract management.
Panic erupted on February 19 as a few users saw their wallets emptied of valuable NFTs without knowing why; and many others feared the same could happen to them. Early explanations blamed a new contract that OpenSea had rolled out; or an airdrop from a new NFT marketplace called X2Y2. People urged NFT owners to revoke permissions for both the OpenSea contract and for X2Y2 until more was known, although one of the most popular websites helping people do so went down shortly after from the high traffic.
OpenSea: huge theft of over $1.7 million of NFTs over the weekend
Many details of the attack are still to be clarified; however, it seems that users were led to sign a partial agreement that authorized the transfer of NFT; without the corresponding transfer of ETH. The CEO and co-founder of OpenSea, Devin Finzer, confirmed that this hypothesis coincides with the first results of the internal investigations, which are however still ongoing.
The news comes at a decidedly unfavorable moment for the platform. Several controversies have recently emerged relating to the proliferation of false works or plagiarism; and an employee quit after he was found to be illicitly exploiting inside information to make money on NFT launches. Just a day earlier, among other things, OpenSea had presented a new type of smart contract; inviting users to migrate all their assets.
An hour and a half after users began to report missing NFTs, OpenSea finally acknowledged the issue. They tweeted that they were “actively investigating rumors of an exploit associated with OpenSea related smart contracts”; and wrote that they believed it was a phishing attack coming from outside of OpenSea; rather than an issue with their contract. It was later determined that an attacker had successfully phished 32 OpenSea users into signing a malicious contract; which allowed the attacker to take the NFTs and then flip them. Bizarrely, the hacker returned some of the NFTs to their original owners; and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back.