Despite the volatility that plagues the digital asset sector, there is one market that has continued to thrive: the nonfungible token market (NFT). In recent months, a growing number mainstream players, including McDonalds, Adidas, Coca-Cola and the New York Stock Exchange (NYSE), have entered the Metaverse ecosystem.
Also, owing to the fact that over the course of 2021 alone, global NFT sales topped out at $40 billion, many analysts expect this trend to continue into the future. For example, American investment bank Jefferies recently raised its market-cap forecast for the NFT sector to over $35 billion for 2022 and to over $80 billion for 2025 — a projection that was also echoed by JP Morgan. Security issues are to be expected, even though the market is growing at an alarming rate. This happened to OpenSea , a prominent non-fungible token (NFT), marketplace. It occurred just hours after it announced its planned week-long upgrade to delist inactive NFTs.
Diving into the matter
On Feb 18, OpenSea revealed that it was going to initiate a smart contract upgrade, requiring all of its users to transfer their listed NFTs from the Ethereum blockchain to a new smart contract. Users who fail to facilitate the migration could lose their inactive and old listings.
Despite the fact that there was a short migration deadline by OpenSea hackers had a great opportunity. It was discovered that hackers had launched a sophisticated phishing campaign to steal NFTs from users. This took place within hours of the announcement.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This seems to be a phishing attempt that originated outside of OpenSea. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
Neeraj Murarka is the chief technical officer and cofounder at Bluezelle. A blockchain for GameFi ecosystem, Bluezelle was using a protocol called Wyvern. This standard tech module allows for the storage, management and transfer of tokens within wallets.
The smart contract with Wyvern enabled users to work with NFTs stored within their “wallets”, so the hacker was able send emails to Opensea clients posing as an agent for the platform encouraging them to sign “blind transactions”. Murarka further added:
“Metaphorically, this was like signing a blank check. This is normal if the intended recipient is the payee. Remember that email can be sent from anyone but appear to have been sent by another person. In this case, the payee appears to be a single hacker who was able to use these signed transactions to transfer out and effectively steal the NFTs from these users.”
Also, in an interesting twist of events, following the incident the hacker apparently returned some of the stolen NFTs to their rightful owners, with further efforts being made to return other lost assets. Alexander Klus, the founder of Creaton, a Web3 content creator platform, shared his view on the matter. He said that the hacker used a malicious transaction to authorize all holdings to be removed at will. “We need better signing standards (EIP-712) so people can actually see what they are doing when approving a transaction.”
Lastly, Lior Yaffe, cofounder and director of Jelurida, a blockchain software company, pointed out that the episode was a direct result of the confusion surrounding OpenSea’s poorly planned smart contract upgrade, as well as the platform’s transaction approval architecture.
NFT marketplaces need to step up their security game
In Murarka’s view, web apps making use of the Wyvern smart contract system should be augmented with usability improvements to ensure that users don’t fall for such phishing attacks time and time again, adding:
“Very clear warnings should be made to educate the user about phishing attacks and driving home the fact that emails will never be sent, soliciting the user to take any steps. Web apps like OpenSea should adopt a strict protocol to never communicate with users via email apart from maybe just registration data.”
That said, he did concede that even if OpenSea were to adopt the safest security/privacy protocols and standards, it is still up to its users to educate themselves about these risks. “Unfortunately, web apps are often held responsible even though the victim was the app. Who is responsible? He said that the answer was not clear.
Jessie Chan (chief of staff at ParallelChain Lab), a decentralized Blockchain ecosystem, shares a similar sentiment. She told Cointelegraph that the attack did not depend on OpenSea security protocols, but on users being aware of phishing. It remains to be seen if the marketplace operator could have provided enough information to its users in order to help them deal with such situations. Another way to prevent potential phishing attacks is for all interactions between users, and their web apps, to be done solely through a dedicated mobile/desktop interface. “If all interactions required the use of a desktop app, such attacks could be bypassed completely.”
Providing his take on the subject, Yaffe noted that the main problem — which lies at the heart of this whole issue — is the basic architecture of most NFT marketplaces, enabling users to simply sign a carte blanche approval for a third-party contract to use their private wallet without setting a spending limit:
“Since the OpenSea team did not really figure out the source of the phishing operation, it might as well happen again next time they attempt to make a change to their architecture.”
What can be done?
Murarka noted that the best way to eliminate the possibility of these attacks is if people start making use of hardware wallets. Because most software wallets, as well as custodial storage solutions, are too vulnerable in terms of their design and operational outlook, this is why hardware wallets are so important. He further elaborated: “Much like Bitcoin, Ethereum, etc, NFTs themselves should be moved to hardware wallet accounts instead of leaving them on a centralized platform,” adding:
“Users need to be super aware of the risks of responding to and acting upon emails they receive. Emails can be faked very easily, and users need to be proactive about the safety of their crypto assets.”
Another thing NFT owners need to remember is that they should only be visiting web apps that employ high-quality security protocols, checking that the accessed marketplaces utilize the HTTPS mechanism (at the very least) while being able to clearly see a lock symbol on the top left of their browser window — which correctly points to the intended company — while visiting any webpage.
Yaffe believes users need to be cautious about contract approvals. It is important to keep track of contracts that they have approved in the past. Users should cancel any unneeded or unsafe approvals. He concludes that users should set a reasonable spending limit for each contract approval.
Lastly, Chan believes that in an ideal scenario, users should keep their wallets on a dedicated platform that they don’t use to read email or browse the web, adding that any such avenues are subject to all manners of third party attacks. He further stated:
“This is inconvenient, but when dealing with assets of great value and where there is no recourse in the event of theft, extreme care is justified. And, as with all financial transactions, they should be very careful in deciding who to deal with, since the counterparties can also steal your assets and disappear.”
Therefore, while moving into a future driven by NFTs and other similar novel digital offerings, it remains to be seen how platforms operating within this space continue to evolve and mature, especially as a growing amount of capital keeps making its way into the NFT market.