On Saturday 19 February, a hack claimed several victims among OpenSea users. The thief was able to steal non-fungible tokens (NFT) for free through a phishing operation. Let’s take a look at what happened
A new hack for OpenSea
Barely a month after its last hack, the non-fungible token (NFT) platform OpenSea is back in the news. Although this time it had nothing to do with it, several of its users got the unpleasant surprise on Saturday night of having their NFTs given away for free.
According to Devin Finzer, OpenSea’s CEO, 32 users of the marketplace were defrauded by allowing a smart contract to transfer their precious collection. The phishing method used is still unknown, but the flaw here is human and not the responsibility of the platform :
As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
– Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
To succeed in his operation, the hacker deployed his smart contract about a month ago. This gave future victims time to sign a “half-transaction” without their knowledge, which would allow the thief to receive his loot for free. All the thief had to do was to finally validate the “sales” at the time of his choice, allowing him to recover several NFTs in a single transaction.
For the more technical amongst you, the process is explained in more detail in this thread:
Seen confusion about the OS thing so.
Attacker had people sign half of a valid wyvern order, the order was basically empty except the target (attacker contract) and calldata, attacker signs other half of order.
– Neso (@Nesotual) February 20, 2022
After having succeeded in his operation, the hacker only had to sell his catches and launder everything through the Tornado Cash blender. The litigation would thus amount to 1.7 million dollars.
On OpenSea, if we randomly take one of the NFTs linked to this hack, we can indeed see in the history that a first transaction is made without compensation to the address of the culprit, and that he resells it one hour later for 13.5 ETH.
Humans are still the number one vulnerability
The irony is that this comes 24 hours before the migration of the platform’s NFTs to a new smart contract. The new contract is a fix for the latest OpenSea hack that allowed sales to be made well below market prices.
There is some speculation as to the alleged identity of the culprit, but this remains speculation and at the time of writing there is nothing to say for sure.
In any case, this hack reminds us how necessary it is to be vigilant about the transactions we sign and the authorisations we give. Fake project accounts are numerous on social networks, as are phishing emails or private messages. Very often, the first flaw is the human being himself. No one is safe from a mistake, and that is why we should never make transactions “in a hurry” or manipulate our assets when our physical and emotional state is not 100%.
