Late on Sunday, a hacker managed to divert 23 NFT collectibles in what looked like a mix of phishing attacks and potentially a smart contract exploit. The address held items from Bored Apes Yacht Club, Azuki, Doodles, and a few smaller hauls from CoolCats, CloneX, and Coolman.
The attack was relatively small in terms of value and size and stopped after the initial haul.
Phishing or Smart Contract Exploit
OpenSea suspects a form of phishing attack that has substituted the real smart contract and has managed to take out NFTs from user wallets, only providing the gas fees.
The impact of the exploit is still investigated, but it seems the hacker was able to list and sell some of the NFT for Ethereum (ETH). According to users, some of the NFT stolen from wallets were sold at floor prices just to cash out fast. The lower estimate of ETH from the sales proceeds is $1.7M equivalent. Users also report some of the NFTs were returned.
OpenSea Deletes Hacker Account
The exact pathway of stealing NFTs remains under investigation. The exploit undermines the safety reputation of OpenSea and potentially other marketplaces that use smart contracts. Some of the affected users claimed they did not click on any links or solicitations to sell their NFT. Instead, they had connected their wallets to a new OpenSea smart contract.
The best approach to safeguarding NFT collections is to use a separate wallet just for trading and interacting with OpenSea, game marketplaces or only when there is the intention to move or sell a particular NFT. This avoids the potential for smart contracts to cause a series of actions, once the wallet has signed the contract.
For now, the stolen NFTs have not been delisted and users must rely on warnings for the affected collections. Stolen BAYC images, especially the valuable ones, have received user-generated warnings. In the meantime, OpenSea has disabled the hacker’s account to avoid further resales.
One of the solutions for stolen NFT is to blacklist the previous contract and re-mint the items to send back to the last owner before the hack.