OpenSea Exploit Investigates Phishing, Smart Contract Attack
A hacker managed to exploit OpenSea and gain access to wallets holding valuable NFTs, re-selling some of the items on the same market.
Late on Sunday, a hacker managed to divert 23 NFT collectibles in what looked like a mix of phishing attacks and potentially a smart contract exploit. The address held items from Bored Apes Yacht Club, Azuki, Doodles, and a few smaller hauls from CoolCats, CloneX, and Coolman.
The attack was relatively small in terms of value and size and stopped after the initial haul.
For a grand total of $750 in gas, the attacker paid no ETH to purchase, and scooped 4 Azukis, 2 Coolmans, 2 Doodles, 2 KaijuKings, 1 MAYC, 1 Cool Cat, 1 BAYC… for $750.
Seeing nothing about x2y2. Looks like a straight interaction with OS' new contract https://t.co/7eu9p0rpZK pic.twitter.com/D4u0MV6CB1
— Jon_HQ (@Jon_HQ) February 20, 2022
Phishing or Smart Contract Exploit
OpenSea suspects a form of phishing attack that has substituted the real smart contract and has managed to take out NFTs from user wallets, only providing the gas fees.
https://twitter.com/opensea/status/1495625768713469954
The impact of the exploit is still investigated, but it seems the hacker was able to list and sell some of the NFT for Ethereum (ETH). According to users, some of the NFT stolen from wallets were sold at floor prices just to cash out fast. The lower estimate of ETH from the sales proceeds is $1.7M equivalent. Users also report some of the NFTs were returned.
The attacker is then selling the stolen NFTs to others to pull ETH out – Currently their wallet is sitting at 262ETH… and growing. pic.twitter.com/neZGSdtpQR
— Jon_HQ (@Jon_HQ) February 20, 2022
OpenSea Deletes Hacker Account
The exact pathway of stealing NFTs remains under investigation. The exploit undermines the safety reputation of OpenSea and potentially other marketplaces that use smart contracts. Some of the affected users claimed they did not click on any links or solicitations to sell their NFT. Instead, they had connected their wallets to a new OpenSea smart contract.
The best approach to safeguarding NFT collections is to use a separate wallet just for trading and interacting with OpenSea, game marketplaces or only when there is the intention to move or sell a particular NFT. This avoids the potential for smart contracts to cause a series of actions, once the wallet has signed the contract.
For now, the stolen NFTs have not been delisted and users must rely on warnings for the affected collections. Stolen BAYC images, especially the valuable ones, have received user-generated warnings. In the meantime, OpenSea has disabled the hacker’s account to avoid further resales.
One of the solutions for stolen NFT is to blacklist the previous contract and re-mint the items to send back to the last owner before the hack.
Related Articles
CaseFun Teams Up With Funton AI to Bring Token Case Opening to TON Mini Apps
CaseFun has confirmed a strategic partnership with Funton AI, plugging its token case opening mechanic into Funton's GameFi-as-a-Service stack for Telegram and LINE mini apps. The studios hint at a bigger reveal in the coming weeks.
GALA Surges 18% as Binance Drops $150K Trading Tournament
Binance launched a $150,000 USDC trading tournament for GALA on May 8, triggering an 18% price jump and a 429% volume explosion in 24 hours, the biggest single-day move for the token in months.
MonWolf Goes Live on Monad With Five Arcade Games and a Holder Rank System
MonWolf has activated its full hub on Monad, pairing five playable arcade games with a $MONWOLF holder rank system, a live pack leaderboard, and a 24/7 wolf cam streaming from the International Wolf Center in Minnesota.