The OpenSea platform has been hacked. More than a hundred NFT tokens were stolen from 32 users in a few hours: a total value of about $1.7 million…
254 NFT chips stolen
While the NFT market is booming, cybercriminals stole several hundred NFTs from users of the OpenSea site this Saturday. As a reminder, OpenSea is one of the most valued companies in the NFT industry: its capitalization is now estimated at $13 billion. While the source of the attack remains undetermined, NFT Marketplace CEO Devin Finzer tweeted that it was likely a phishing attack and not directly connected to the platform. However, he emphasized that investigations are still ongoing.
The attack, which reportedly lasted about three hours, targeted 32 users. The hackers would have taken advantage of the flexibility of Wyvern, an open source protocol used in the development of sales contracts.
The records of the blockchain show that the hackers were able to access the wallets of users, and thus and steal 254 tokens: that is, almost 2 million dollars. So far, the stolen NFTs include the famous Bored Apes, Mutant Apes as well as other popular collections And according to Finzer, right now, the thief would have recovered as much as $1.7 million Ethereum in his wallet by selling stolen NFTs.
However, it appears that some of the stolen NFTs have been returned. In addition, the hacker reportedly returned all the stolen NFTs in a wallet, except for a Bored Ape.
A loophole exploited by thieves
This attack would have exploited a flaw in the Wyvern Protocol: the open-source standard on which most NFT smart contracts are based, including those performed on OpenSea. The attack would have taken place in two stages.
When the attack took place, OpenSea was in the process of updating its contract system. However, the platform claims that this offensive did not exploit new contracts. The small number of targets seems to rule out the possibility of such a large-scale vulnerability, which would probably have been exploited on a larger scale.
Initially, the victims signed a partial contract with a general authorization and large portions left empty. From this signing, the criminals were able to complete the contract with a call to their own contract. This allowed the transfer of ownership of the NFTs without payment.
To put it simply, the users targeted by the attack would have partially signed an agreement allowing the hackers to transfer NFTs without the need for any Ethereum transaction. The hackers would then have taken advantage of the opportunity to complete the signed agreement to finalize the operation and make a clean getaway.
An attack draped in mystery
Most of the details surrounding this incident remain mysterious, however. In particular, it is not known whatmethod the criminals used to get their targets to sign the half-empty contracts. According to Finzer, the attacks did not start from the company’s website, listing systems or emails. But the rapid pace of the attack, (several hundred transactions in three hours!), suggests a common vector. But unfortunately, no link has been discovered yet. Any user with information to share about this attack is invited to contact OpenSea to share it…