Hundreds of NFTs were stolen from OpenSea users on Saturday, prompting a late-night panic among the site’s large user base. According to a spreadsheet created by the blockchain security service PeckShield, 254 tokens were taken during the attack, including tickets from Decentraland and Bored Ape Yacht Club. The majority of the attacks occurred between 5 and 8 p.m. ET.
According to Molly White, the stolen tokens are worth more than $1.7 million, who writes the blog Web3 is Going Great. OpenSea first stated that 32 users were affected but later amended that figure to 17, claiming that 15 of the 32 users had communicated with the attacker but had not lost tokens as a result.
“I checked every transaction,” said the user, who goes by Neso. “They all have valid signatures from the people who lost NFTs, so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”
The attack appears to have taken advantage of a flaw in the Wyvern Protocol. This open-source standard underpins the majority of NFT intelligent contracts, including those created on OpenSea. According to one explanation (posted by CEO Devin Finzer on Twitter), the attack was detailed in two sections. Initially, targets signed a partial contract, with a general authorisation and huge chunks left blank. After obtaining the signature, the attackers finalised the transaction by calling their accord, which effectively transferred the NFTs without payment. In essence, the attack victims signed a blank check, and the attackers then filled in the rest of the review to steal their assets.
OpenSea, which provides a simple interface for users to list, browse, and bid on tokens without dealing directly with the blockchain, has become one of the most valuable companies of the NFT boom, valued at $13 billion in a recent fundraising round. The company has struggled with attacks that used old contracts or poisoned tokens to steal customers’ valuable holdings, and this success has come with serious security risks.
When the attack occurred, OpenSea was modernising its contract system, but the company has denied that the new contracts were the source of the attack. A vulnerability like this is improbable because of the tiny number of targets, as any flaw in the broader platform would almost certainly be exploited on a much larger scale.
Many aspects of the attack, including the approach employed by the attackers to persuade targets to sign the half-filled contract, remain unknown. The attacks did not originate from OpenSea’s website, its different listing systems, or any emails from the company, according to OpenSea CEO Devin Finzer, who wrote on Twitter soon before 3 a.m. ET. The attack’s rapidity – hundreds of transactions in a matter of hours — suggests a common attack vector, but no relationship has been found so far.
“We’ll keep you updated as we learn more about the exact nature of the phishing attack,” said Finzer on Twitter. “If you have specific information that could be useful, please DM @opensea_support.”