in ,

OpenSea users lost $1.7 million to NFT theft

We all knew it was a matter of time before online thieves started to target NFTs, but it is still saddening that OpenSea users have suffered a theft of assets worth more than $1.7 million.

Over the weekend, attackers pilfered NFTs from the biggest market, OpenSea. The heist affected hundreds of NFTs, and third-party reckoning from digital security company PeckShield indicates that it involved 254 tokens. Decentraland and Bored Ape Yacht Club suffered losses too.

During the attack that lasted less than three hours, 32 users had their NFTs stolen.

While nothing has been confirmed yet, it appears the attackers took advantage of a flexibility in the Wyvern Protocol. This protocol is the open-source standard that powers the majority of NFT smart contracts, OpenSea included.

CEO of OpenSea, Devin Finzer, has posted a thread on Twitter about the company’s preliminary findings.

“As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.

“The attack doesn’t appear to be active at this point — we haven’t seen any malicious activity from the attacker’s account in 2 hours. Some of the NFTs have been returned.

“We are not aware of any recent phishing emails that have been sent to users, but at this time, we do not know which website was tricking users into maliciously signing messages.”

Finzer added advice on how users can protect themselves from being compromised. “Always double check that you are interacting with in your browser when you sign messages. If you are an affected user, please DM @opensea_support so that we can thoroughly investigate — we’d love your help.”

He also quashed the rumor that the theft was worth $200 million.

A more technical explanation says the attack took place in two parts; in the first phase, the potential victim signed a partial contract with a general authorization, and some portions were left blank. The attacker then executes the second phase by finishing up the contract using a call to their own contract, thereby taking control of the NFTs without paying a dime.

Incidentally, the attackers operated when OpenSea was in the middle of updating its contract system, but the company has denied the attack had anything to do with the upgrading process. Supporting their stance is the relatively small number of victims, as more users would have been affected if there had been any severe flaw in the system.

OpenSea has risen in prominence following the boom in NFT trading, and it is now valued at $13 billion, courtesy of the latest round of funding. It is a popular destination for transacting NFTs because of its easy-to-use interface that lets users list, search for, and bid on tokens. The platform has also attracted attackers attempting to use old contracts and poisoned tokens to cause mayhem.

Written by HackerVibes

Epic Games convert several hundred QA testers permanent staff

WordPress owners should urgently install this patch to fix a severe bug