OpenSea Exploit Investigates Phishing, Smart Contract Attack
A hacker managed to exploit OpenSea and gain access to wallets holding valuable NFTs, re-selling some of the items on the same market.
Late on Sunday, a hacker managed to divert 23 NFT collectibles in what looked like a mix of phishing attacks and potentially a smart contract exploit. The address held items from Bored Apes Yacht Club, Azuki, Doodles, and a few smaller hauls from CoolCats, CloneX, and Coolman.
The attack was relatively small in terms of value and size and stopped after the initial haul.
For a grand total of $750 in gas, the attacker paid no ETH to purchase, and scooped 4 Azukis, 2 Coolmans, 2 Doodles, 2 KaijuKings, 1 MAYC, 1 Cool Cat, 1 BAYC… for $750.
Seeing nothing about x2y2. Looks like a straight interaction with OS' new contract https://t.co/7eu9p0rpZK pic.twitter.com/D4u0MV6CB1
— Jon_HQ (@Jon_HQ) February 20, 2022
Phishing or Smart Contract Exploit
OpenSea suspects a form of phishing attack that has substituted the real smart contract and has managed to take out NFTs from user wallets, only providing the gas fees.
https://twitter.com/opensea/status/1495625768713469954
The impact of the exploit is still investigated, but it seems the hacker was able to list and sell some of the NFT for Ethereum (ETH). According to users, some of the NFT stolen from wallets were sold at floor prices just to cash out fast. The lower estimate of ETH from the sales proceeds is $1.7M equivalent. Users also report some of the NFTs were returned.
The attacker is then selling the stolen NFTs to others to pull ETH out – Currently their wallet is sitting at 262ETH… and growing. pic.twitter.com/neZGSdtpQR
— Jon_HQ (@Jon_HQ) February 20, 2022
OpenSea Deletes Hacker Account
The exact pathway of stealing NFTs remains under investigation. The exploit undermines the safety reputation of OpenSea and potentially other marketplaces that use smart contracts. Some of the affected users claimed they did not click on any links or solicitations to sell their NFT. Instead, they had connected their wallets to a new OpenSea smart contract.
The best approach to safeguarding NFT collections is to use a separate wallet just for trading and interacting with OpenSea, game marketplaces or only when there is the intention to move or sell a particular NFT. This avoids the potential for smart contracts to cause a series of actions, once the wallet has signed the contract.
For now, the stolen NFTs have not been delisted and users must rely on warnings for the affected collections. Stolen BAYC images, especially the valuable ones, have received user-generated warnings. In the meantime, OpenSea has disabled the hacker’s account to avoid further resales.
One of the solutions for stolen NFT is to blacklist the previous contract and re-mint the items to send back to the last owner before the hack.
Related Articles
MapleStory Universe Opens MSU Space Builder Hub and Kicks Off $60K Global Game Jam
Nexon's MapleStory Universe has opened MSU Space, a live builder hub co-developed with AI platform Verse8, and launched a $60,000 NXPC competition open to any developer who builds a MapleStory-inspired experience by June 29.
Axie Infinity Shuts Down Homeland on June 17 and Launches Terrariums V1, a Passive bAXS Earning System
Sky Mavis is permanently closing Homeland on June 17 and replacing it with Terrariums V1, a passive hourly bAXS earning system that turns every Axie land plot into an automated income source.
Gods Unchained Announces The Waking Plague: 46 New Cards and Season 15 Battle Pass Launch June 16
Gods Unchained's newest expansion The Waking Plague drops June 16 with 46 new cards across three supply-capped pack tiers, plus the Season 15 Battle Pass and ultra-rare Squeekling promos for top spenders.