This weekend, cybercriminals stole several hundred NFTs from OpenSea users.
This weekend, a phishing attack undermined the OpenSea platform, causing a huge wave of panic among users. In total, these are more than 254 NFTs that were stolen, including several Bored Ape Yacht Club and Decentreland tokens.
Specifically targeting 32 users of the crypto exchange platform, the attack would have occurred between 5 p.m. and 8 p.m. (Eastern Time Zone), and would have brought in $ 1.7 million to hackers.
A flaw exploited
To carry out their operation, the pirates relied on a flexibility of the Wyvern protocolthe open source standard underlying most NFT contracts, including those concluded on OpenSea.
For more technical context, this thread (https://t.co/oHGgA3wLHP) is consistent with our current internal understanding.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
According to the CEO and founder of the platform Devin Finzer, the attack would have taken place in two phases: a first during which the targets would have signed a partial contract, the bulk of the content of which was left empty. Once the signature was obtained, the criminals then entered into a contract in their favor, validating the idea of a transaction without the transfer of funds. A kind of digital blank checkwhich then gave cybercriminals plenty of time to recover the tokens possessed by their victims.
The problem is that, legally, the transactions recorded by this phishing operation are completely valid. The digital signatures of the victims are authentic, and it is therefore very difficult to imagine that they will be able to win their case.
For its part, OpenSea was in the process of updating its contract system when the attack took place. The platform denied the possibility that the flaw stemmed from the new contracts, but promised to keep its users informed of the exact nature of the attack. In the meantime, an internal investigation has been opened, and the victims can contact the support of the platform directly on Twitter, via the account @opensea_support.