OpenSea Exploit Investigates Phishing, Smart Contract Attack
A hacker managed to exploit OpenSea and gain access to wallets holding valuable NFTs, re-selling some of the items on the same market.
Late on Sunday, a hacker managed to divert 23 NFT collectibles in what looked like a mix of phishing attacks and potentially a smart contract exploit. The address held items from Bored Apes Yacht Club, Azuki, Doodles, and a few smaller hauls from CoolCats, CloneX, and Coolman.
The attack was relatively small in terms of value and size and stopped after the initial haul.
For a grand total of $750 in gas, the attacker paid no ETH to purchase, and scooped 4 Azukis, 2 Coolmans, 2 Doodles, 2 KaijuKings, 1 MAYC, 1 Cool Cat, 1 BAYC… for $750.
Seeing nothing about x2y2. Looks like a straight interaction with OS' new contract https://t.co/7eu9p0rpZK pic.twitter.com/D4u0MV6CB1
— Jon_HQ (@Jon_HQ) February 20, 2022
Phishing or Smart Contract Exploit
OpenSea suspects a form of phishing attack that has substituted the real smart contract and has managed to take out NFTs from user wallets, only providing the gas fees.
https://twitter.com/opensea/status/1495625768713469954
The impact of the exploit is still investigated, but it seems the hacker was able to list and sell some of the NFT for Ethereum (ETH). According to users, some of the NFT stolen from wallets were sold at floor prices just to cash out fast. The lower estimate of ETH from the sales proceeds is $1.7M equivalent. Users also report some of the NFTs were returned.
The attacker is then selling the stolen NFTs to others to pull ETH out – Currently their wallet is sitting at 262ETH… and growing. pic.twitter.com/neZGSdtpQR
— Jon_HQ (@Jon_HQ) February 20, 2022
OpenSea Deletes Hacker Account
The exact pathway of stealing NFTs remains under investigation. The exploit undermines the safety reputation of OpenSea and potentially other marketplaces that use smart contracts. Some of the affected users claimed they did not click on any links or solicitations to sell their NFT. Instead, they had connected their wallets to a new OpenSea smart contract.
The best approach to safeguarding NFT collections is to use a separate wallet just for trading and interacting with OpenSea, game marketplaces or only when there is the intention to move or sell a particular NFT. This avoids the potential for smart contracts to cause a series of actions, once the wallet has signed the contract.
For now, the stolen NFTs have not been delisted and users must rely on warnings for the affected collections. Stolen BAYC images, especially the valuable ones, have received user-generated warnings. In the meantime, OpenSea has disabled the hacker’s account to avoid further resales.
One of the solutions for stolen NFT is to blacklist the previous contract and re-mint the items to send back to the last owner before the hack.
Related Articles
Nine Chronicles v200450 Pushes Progression Past Stage 500 With 30 New Levels
Nine Chronicles broke through its longest-standing progression ceiling on June 25, with update v200450 adding 30 new stages, Grade 8 Transcendence equipment, and new crafting materials that unlock meaningful stat growth.
Immutable Lays Off 29 Developers and Puts Guild of Guardians in Maintenance Mode as It Bets on AI Marketing
Immutable cut 29 roles from its game development teams this week, placed Guild of Guardians in maintenance mode, and announced a major pivot away from making games toward selling AI-powered marketing tools to publishers.
Decentraland Game Expo Opens Today With 26 Web3 Games, Free Wearables and $17,000 in Prizes
The Decentraland Game Expo opened June 26 and runs through June 29, showcasing 26 web3 games across a virtual fairground with 15 free collectible wearables, a $17,000 Game Jam prize pool, and daily expert talks streamed live.