In a Twitter thread, OpenSea CEO Devin Finzer stated the platform is currently investigating the incident. At this time, Finzer believes the OpenSea website is secure, and the attack happened outside the platform. Most of the attacks took place between 5 PM to 8 PM ET on Saturday, Feb. 19. Furthermore, Finzer said the attack does not appear to be active at this time. However, there is very little information on the exact nature of the attack or the malicious actor behind it.
About OpenSea and NFT Contracts
OpenSea is one of the most popular marketplaces where users can buy and sell digital goods like art, music and collectibles. It provides a user-friendly interface for users to trade, without having to interact with the blockchain. The platform has grown exponentially during the NFT boom, and was recently valued at $13 billion. The growing spotlight has come with its share of troubles as the platform has previously faced some high-profile security issues. The platform is in the middle of updating its contract system. This has raised questions about its connection to the latest attack. However, OpenSea has denied these concerns, stating that the attacks did not originate from its website, listing systems, or company emails. OpenSea’s claims appear to be true as a potential flaw in the platform would in all likelihood lead to a much larger attack. The current scale and number of targets point towards a phishing campaign.
Hackers Tricked Users into Signing Half-filled Smart Contracts
While there is still much to learn about the attack, it is worth pointing out what we currently know. Finzer said internally OpenSea believes the hacker exploited a flaw in the Wyvern Protocol. This is the underlying framework that governs the exchange of digital assets on OpenSea. Hackers appear to have sent half-filled valid Wyvern orders to targets. Once the target signs the contract, the attacker has access to the calldata, and can transfer ownership of the NFT to their own address. One user with the Twitter handle Neso stated: “I checked every tx, they all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.” Describing Wyvern contracts, Neso added, “The wyvern contracts are extremely flexible, OpenSea validates orders on their frontend/api to ensure what you’re signing will function as expected, but the same contracts can still be used by others with more complex orders like this that if you sign can take everything approved.” If you found this story interesting, and want to learn more about phishing, check out our detailed resource on phishing.