OpenSea confirms hackers made $1.7 million on NFTs stolen in a phishing attack at the weekend
- OpenSea has confirmed an estimated $1.7 million worth of NFTs were stolen in a hack on Saturday.
- The phishing attack exploited the smart-contract code used in NFTs, the platform believes.
Leading NFT marketplace OpenSea has confirmed an estimated $1.7 million worth of tokens were stolen in a hack at the weekend.
In the attack, which took place between 5 p.m. and 8 p.m. ET on Saturday, the thieves tricked OpenSea users into part-signing smart contracts to allow the trades. They then completed the contract process to transfer the NFTs, or non-fungible tokens, to their own address.
The hackers likely used "phishing" — in which an official communication is faked to look like the real thing — to fool NFT owners into signing, OpenSea believes.
"As far as we can tell, this is a phishing attack. We don't believe it's connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen," OpenSea CEO Devin Finzer said in a series of tweets.
In later tweets, Finzer dispelled suggestions that the NFT haul was worth as much as $200 million, and clarified that the number of victims had been narrowed down to 17 individuals.
"The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs," he said.
The crypto loss is small compared with recent high-profile hacks, such as solana's $322 million wormhole bridge attack, which also used a flaw in smart contracts. But it is a sign that such crime is becoming more common, as suggested by a recent Chainalysis report that found criminals nabbed crypto worth $14 billion in 2021, a rise of 80%.
Persistent security issues could become a barrier to mainstream adoption of crypto, given a burden is being passed on to the user, some analysts have warned.
The risk of smart contract-based attacks in decentralized finance, especially in developing networks like solana, are quite high, according to Hart Lambur, cofounder of the UMA protocol.
"Smart contract bugs are unfortunately a common risk in DeFi," Lambur told Insider recently.
The OpenSea hack exploited the Wyvern Protocol, which underpins most NFT smart contract processes. As the protocol is open source, the code is standard and publicly available.
There are three ways to authorize an order, according an explainer on the Wyvern Protocol website.
"Orders must always be authorized by the maker address, who owns the proxy contract which will perform the call. Authorization can be done in three ways: by signed message, by pre-approval, and by match-time approval."
The OpenSea victims signed a partial contract for the NFT trade, giving the attacker a general authorization but leaving it largely blank — something like signing a blank check. That let the hackers transfer ownership of the NFTs without making any payment.
At least 254 NFTs were taken, according to crypto analysis company PeckShield, though the company has not confirmed the tally.
After talking to those affected, OpenSea decided a new Wyvern 2.3 contract was not used in the phishing attack, its CEO said.
Finzer said it had also ruled out phishing via clicking on the OpenSea site's banner; clicking on a faked OpenSea email; or using the platform's listing migration tool. Minting, buying, selling or listing NFTs was not at fault either, he said.
The NFT platform is investigating whether the victims had interacted with a list of common websites, he added. OpenSea did not respond to an Insider request for comment.