A hacker stole millions of dollars worth of NFTs from OpenSea users over the weekend.
It’s thought that the hacker tricked users into approving transactions that allowed their wallets to be drained through an elaborate phishing attack.
There are several steps to follow to mitigate the chance of falling victim to such incidents in Web3.
Share this article
A hacker stole millions of dollars worth of NFTs from OpenSea users over the weekend. The incident has highlighted the importance of operational security in Web3.
OpenSea Hack Highlights Security Risks
On Feb. 19, multiple OpenSea users reported that their wallets had been drained of valuable NFTs from collections like Bored Ape Yacht Club and Azuki. The total value of the haul was estimated at around $3 million. The next day, OpenSea said that it believed the root cause was a phishing attack that originated “outside of OpenSea.”
The attack targeted 32 users. It’s believed that they were lured into clicking malicious links to sign a rogue smart contract that gave permission for their NFTs to be transferred to another wallet. As a result, the hacker was able to drain over 250 NFTs in a matter of hours.
OpenSea makes use of off-chain signatures to execute gasless trades on behalf of its users. They can be executed automatically, which means users do not need to be online for an NFT order to be filled. It’s thought that the hacker tricked the victims into signing transactions with Wyvern, an NFT exchange protocol used by OpenSea.
A pseudonymous Solidity developer known as foobar posted a tweet storm following the incident in which they said that the victims signed malicious code that allowed the hacker to drain the NFTs to a “target address” they controlled. To convince the victims to sign the code, it’s believed that they posed as OpenSea through an email or other communication format.
The incident highlights the need for exercising caution when signing smart contract transactions. It also serves as a reminder of the risks found in every corner of Web3 and the importance for users to educate themselves about the threats within the evolving landscape. To mitigate the risks of falling victim to such attacks, there are several steps active Web3 users can take to protect themselves.
As a first step toward securing NFTs or other crypto assets, it’s important to know how to revoke permissions associated with a crypto wallet. Phishing attacks like the OpenSea hack are a major concern because signing only one malicious signature may result in the loss of every NFT stored in a wallet. If you trade on OpenSea and permitted the off-chain signature with Wyvern Exchange V1 contract, revoking permission to spend the funds is one way to reduce the risk of a hacker draining funds on the contract.
Users can revoke wallet permissions by going to the Token Approval page on Etherscan, connecting their wallet, and finding the token approvals for each application the wallet has interacted with.
Avoid Blind Signatures
Following the OpenSea hack, the company’s Chief Technology Officer Nadav Hollander said in a tweet storm that valid signatures from the victims were exploited on the Wyvern V1 contract (before the OpenSea migrated to Wyvern V2.3). Users “did sign an order somewhere, at some point in time, at some point in time,” he said. This suggests that the victims may have inadvertently signed malicious contracts.
In the past, crypto phishing attacks have tricked users into entering their wallet’s seed phrase, allowing for the hacker to access their wallet and steal the funds. In some instances, hackers have acquired permission to spend funds by luring users in with fake airdrops. The latest OpenSea incident was different as the hacker attempted multiple collectors at once. It shows that in addition to being cautious with seed phrases, users need to be careful with signing off-chain messages and interacting with suspicious contracts.
Once a signature is signed, a third party can spend funds on behalf of users even if the funds are held in a hardware wallet. Hence, it is crucial for users to take care when executing gasless signatures on OpenSea or other applications. Some blockchain experts recommend against approving all blind signatures.
Such signatures contain only a hex code that shows up only as an Ethereum address; they do not provide additional details about the transaction. EIP-712 signatures, however, give more clarity becasue they show complete transactional data related to the time of a signature request. Per Hollander, the EIP-712 format that comes with the recently migrated OpenSea contracts makes it “much more difficult for bad actors to trick someone into signing an order without realizing it.”
Be Wary of Mixing Web3 and Emails
In connection with the OpenSea incident, multiple reports of phishing email campaigns have surfaced. It’s thought that the hacker sent out an email posing as OpenSea urging them to authorize a migration of their NFT listings to the new Wyvern contract. After clicking through, it appears the users signed transactions that gave the hacker permission to drain their wallets.
Thanks to the rise of deep fake emails, hackers have found ways to send emails that appear to resemble any email domain they like. Users should be wary of all emails that demand a transaction from MetaMask or any other Web3 wallet, even if it appears to be from an official source. One of the best tips in operational security is to avoid interacting with Web3 applications using links posted via email or social media. In fact, it’s best to avoid clicking on any crypto-related links unless they are from an official source.
Besides taking caution when signing transactions and avoiding phishing attacks, there are other steps crypto users can take to stay protected. It’s a good idea, for example, to move high-value assets like NFTs to cold storage devices that do not interact with any applications. To learn more about safeguarding NFTs from hackers, check out beginner’s guide feature.
Disclosure: At the time of writing this feature, the author owned ETH and other cryptocurrencies.
Share this article
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.
NFT Express: Your on-ramp to the world of NFTs
At Tatum, we’ve already made it super easy to create your own NFTs on multiple blockchains without having to learn Solidity or create your own smart contracts. Anyone can deploy…
Beginner’s Guide: How to Safeguard Your NFT Collection Against H…
Crypto Briefing shares a list of operational security best practices for safeguarding your NFTs. Security Tips For NFT Collectors In 2021, NFTs exploded into the mainstream. The market for non-fungible…
OpenSea NFT Hack Exposes Web3 Self-Custody Risks
The hacker stole hundreds of high-value NFTs from sought-after collections like Bored Ape Yacht Club, Azuki, and NFT Worlds. OpenSea Users Targeted in NFT Hack A hacker stole millions of…
Beginner’s Guide: How to Hedge Your Crypto Portfolio
Crypto investors can employ a number of strategies to minimize the risks associated with participating in the space. A Guide to Hedging in Crypto Many cryptocurrencies have hit new all-time…