The world’s largest NFT market place OpenSea suffered an exploit that left dozens of NFTs missing.
The news came in after a series of tweets by some of the affected users claiming that some of their NFTs were allegedly missing after clicking on a smart contract migration link.
“We are actively investigating rumours of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of http://opensea.io.” Open sea Tweeted shortly after the reports.
OpenSea’s CEO Devin Finzer confirmed the complaints, stating that 32 users had thus far signed a malicious payload from an attacker, exposing their accounts to the exploit. Finzer, who stated that the exploit was a phishing attack that was in no way connected to the OpenSea website further dispelled reports that the stolen NFTs were valued at $200M.
“The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.” he wrote.
On Saturday, OpenSea had called on users to start migrating their listings as part of a planned upgrade of its existing smart contract to a new smart contract. Listings falling outside the deadline would expire, requiring users to list their NFTs afresh.
Experts believe the attacker planned to take advantage of this window frame to carry out the exploit, as users pay little attention to security when trying to beat deadlines.
According to developers at Isotile, the attacker seems to have planned the exploit 28 days earlier in anticipation that he would collect as many signatures as possible, according to Etherscan.
“He starts sending emails with phishing websites.” Isotile tweeted. “They tell you to sign a message to login/migrate to the new Opensea smart contract Instead you are signing a private sale (0 eth) of your NFTs to the hacker.”
After gathering enough signatures just in time for the migration, the attacker “executes the smart contract function to steal the NFTs before their listings expire.” He was able to do this because he had his victims’ signatures stored on his server.
OpenSea user activity is largely uncensored which makes it harder for the firm to control its activities. As of writing, the only measure to avert further losses has been for users to stay vigilant and abstain from signing or clicking any links outside what OpenSea has set as “one click makes a difference”.