Technology

OpenSea users lose $1.7 million worth of NFTs in alleged phishing attack

Late Saturday afternoon, hundreds of NFTs were stolen from OpenSea users in an alleged phishing attack, including tokens from Decentraland and Bored Ape Yacht Club. According to the PeckShield security service’s count, the attackers stole 254 tokens in about three hours.

At least 32 users were affected by the alleged phishing attack. The value of the stolen tokens is estimated to exceed $1.7 million in ether (ETH), according to the blog’s Molly White Web3 is going just great.

Image: OpenSea/Reproduction

The attack could be related to exploiting a flexibility in the Wyvern Protocol, the open source standard for NFT smart contracts, including those made at OpenSea. On Twitter, the company’s CEO Devin Finzer linked a thread, which explained the attack in two steps: first, the targets signed a partial contract, with a general authorization and with several blank fields. With the signature, the attackers added information to the contract itself, which transferred ownership of the NFTs without payment.

A user who serves neso said to have verified each transaction. “They all have valid signatures from people who lost NFTs, so anyone claiming to have not been a victim of phishing but missing NFTs is sadly wrong,” he tweeted.

According to White’s blog information, some of the stolen NFTs were returned to their original owners. “A victim inexplicably received 50 ETH ($130,000) from the attacker, as well as the return of some stolen NFTs. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million.”

Blockchain games and NFTs: how to know if it's worth investing?

Image: Shutterstock

Just before the attack took place, OpenSea was in the process of updating the contract system, however it denies the attack originated with the new contracts. On Twitter, the company’s CEO, Devin Finzer, argued that the attacks had not originated on the company’s website, listing systems or any emails. The fast pace and hundreds of transactions in a matter of hours suggest a common vector, although many details remain unclear and unconnected. “We’ll keep you updated as we learn more about the exact nature of the phishing attack,” Finzer said on Twitter. “If you have specific information that might be helpful, please DM @opensea_support.”

with information from The Verge and Web3 is going just Great

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *