Tuesday, May 24, 2022
HomeCrypto News$1.7 Million in NFTs were stolen in an apparent phishing attack against...

$1.7 Million in NFTs were stolen in an apparent phishing attack against OpenSea users

OpenSea’s large user base was shaken by the theft of hundreds of NFTs by attackers on Saturday. PeckShield, a blockchain security service, created a spreadsheet that counted 254 tokens taken during the attack. This included tokens from Decentraland Yacht Club and Bored Ape Yacht club.

Most attacks occurred between 5PM ET and 8PM ET. They targeted 32 users. Molly White, the blogger Web3 is Going Great estimated that the value of the stolen tokens was more than $1.7million.

The Wyvern Protocol is an open-source standard that underpins most NFT smart contracts. This flexibility appears to have been exploited by the attackers. Devin Finzer, CEO, shared a second explanation on Twitter. First, the targets signed a partial agreement, which included a general authorization but large blanks. Once the signature was in place, attackers completed their contract by calling to their contract. This contract transferred ownership of NFTs to them without any payment. The attack targets had signed a blank cheque. Once that was done, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment.

Neso, the user said that he had checked all transactions. “They all have valid signatures of the people who lost NFTs, so anyone who claims they weren’t phished but lost them NFTs is sadly mistaken.”

OpenSea, valued at $13 million in a recent funding round has been one of the most important companies of the NFT boom. It provides a simple interface that allows users to browse, list and bid on tokens, without having to interact directly with the blockchain. OpenSea’s success has not been without security problems. The company has faced attacks that used old contracts and poisoned tokens in order to steal valuable user holdings.

OpenSea was updating its contract system at the time of the attack, but OpenSea denies that the attack originated from the new contracts. This vulnerability is unlikely because there are so few targets. Any flaws in the wider platform could be exploited on an even greater scale.

Many details about the attack are still unclear, including the methods used by the attackers to convince targets to sign the half-empty contracts. Devin Finzer, OpenSea CEO, stated that the attacks were not originating from OpenSea’s website, its listing systems or emails. The attack’s rapid pace — hundreds of transactions in just hours — suggest a common vector, but no link has been found.

Finzer tweeted that “We’ll keep your updated as we learn more regarding the exact nature of this phishing attack.” If you have any information that might be of use, please contact @opensea_support

Emma Roth contributed reporting.

Read More

Henry Hicks
Henry Hickshttps://nonfungibletalk.com
NFT and Crypto Enthusiast. Loves Travelling and Exploring the Metaverse!
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!

Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Most Popular