OpenSea Exploit Investigates Phishing, Smart Contract Attack
A hacker managed to exploit OpenSea and gain access to wallets holding valuable NFTs, re-selling some of the items on the same market.
Late on Sunday, a hacker managed to divert 23 NFT collectibles in what looked like a mix of phishing attacks and potentially a smart contract exploit. The address held items from Bored Apes Yacht Club, Azuki, Doodles, and a few smaller hauls from CoolCats, CloneX, and Coolman.
The attack was relatively small in terms of value and size and stopped after the initial haul.
For a grand total of $750 in gas, the attacker paid no ETH to purchase, and scooped 4 Azukis, 2 Coolmans, 2 Doodles, 2 KaijuKings, 1 MAYC, 1 Cool Cat, 1 BAYC… for $750.
Seeing nothing about x2y2. Looks like a straight interaction with OS' new contract https://t.co/7eu9p0rpZK pic.twitter.com/D4u0MV6CB1
— Jon_HQ (@Jon_HQ) February 20, 2022
Phishing or Smart Contract Exploit
OpenSea suspects a form of phishing attack that has substituted the real smart contract and has managed to take out NFTs from user wallets, only providing the gas fees.
https://twitter.com/opensea/status/1495625768713469954
The impact of the exploit is still investigated, but it seems the hacker was able to list and sell some of the NFT for Ethereum (ETH). According to users, some of the NFT stolen from wallets were sold at floor prices just to cash out fast. The lower estimate of ETH from the sales proceeds is $1.7M equivalent. Users also report some of the NFTs were returned.
The attacker is then selling the stolen NFTs to others to pull ETH out – Currently their wallet is sitting at 262ETH… and growing. pic.twitter.com/neZGSdtpQR
— Jon_HQ (@Jon_HQ) February 20, 2022
OpenSea Deletes Hacker Account
The exact pathway of stealing NFTs remains under investigation. The exploit undermines the safety reputation of OpenSea and potentially other marketplaces that use smart contracts. Some of the affected users claimed they did not click on any links or solicitations to sell their NFT. Instead, they had connected their wallets to a new OpenSea smart contract.
The best approach to safeguarding NFT collections is to use a separate wallet just for trading and interacting with OpenSea, game marketplaces or only when there is the intention to move or sell a particular NFT. This avoids the potential for smart contracts to cause a series of actions, once the wallet has signed the contract.
For now, the stolen NFTs have not been delisted and users must rely on warnings for the affected collections. Stolen BAYC images, especially the valuable ones, have received user-generated warnings. In the meantime, OpenSea has disabled the hacker’s account to avoid further resales.
One of the solutions for stolen NFT is to blacklist the previous contract and re-mint the items to send back to the last owner before the hack.
Related Articles
World of Dypians WOD Token Lands on Binance US, Opening the American Market
World of Dypians has secured a Binance US listing for its WOD token, giving the open-world MMORPG access to American retail buyers and clearing a regulatory bar that most gaming tokens never reach.
Moonveil Studio Closes After Four Years: AstrArk Ends and What the Shutdown Reveals About Web3 Gaming
Moonveil Studio, the team behind blockchain action RPG AstrArk and stealth battle royale Bushwhack, announced on May 26 that it is winding down all operations after four years. The studio leaves behind over 2 million unique active wallets and a pattern that is becoming familiar in on-chain gaming.
Splinterlands and Electroneum Launch Voltage Event with Game's First Ever Double-Sided Card
Splinterlands partnered with Electroneum to launch 'Voltage: Powering Up in Praetoria,' introducing ElectroFox, the first double-sided card in the game's history, alongside a new Electroneum Voltage Points reward loop designed to link both communities.