OpenSea, the biggest NFT platform in the crypto industry by number of users and volumes, suffered from a hack. OpenSea has had a total volume of $21.8 billion since the inception of the company. The second-largest platform — Looksrare — has about $5 billion less than that.
Among the NFTs stolen are some of the most well-known, including ones of the Bored Ape Yacht Club and the Mutant Ape Yacht Club. About $1.7 million worth of NFTs have been stolen so far from 32 different wallets.
How did the hack happen?
The hack seems to not be a hack. The wallets that were compromised all had one common denominator. They engaged with phishing emails that were promoting a discount on the transfer of NFTs. Once the user clicked the link they were taken to the Opensea platform and could interact as normal with OpenSea.
In the background, by clicking the link, the NFT owner actually activated an order for the transfer of an NFT, however that command was not executed at that time. The hacker collected all those signatures and at some point activated them and transferred the NFTs to their wallet. We know this for sure, as all NFT transactions were signed by the original owners.
So how could the attacker transfer the NFTs to their own wallet after the original NFT owner had signed the order?
OpenSea uses ‘Wyvern’ contracts to execute NFT orders. Those smart contracts collect all the data they need to execute the transaction, such as the command to transfer, receiving wallet address, and the signature to execute the order.
The attacker built a script that automatically filled in part of this Wyvern contract when the NFT owner clicked the link. Part of the contract was completed, including the signature the contract needs to execute. The contract was a private sale from the NFT owner to the attacker of the NFT for the price of 0 ETH.
After collecting several of those half worked out Wyvern contracts, the attacker added the missing part themselves, which executed the contracts. The most important detail added by the attacker was of course their wallet address.
The NFT owner had no clue they actually contributed to these Wyvern contracts by clicking that link. It all happened in the background. The attacker had the patience to wait for a while until they collected enough contracts to execute.
How could this have been prevented?
With current state-of-the-art smart contracts, this is much more difficult. OpenSea already issued new Wyvern contracts prior to the attack. This also indicates the Wyvern contracts that were used for the attack were already signed prior to this migration.
All new orders on OpenSea use the new EIP-712 format. This makes signing much safer. Instead of showing a random collection of characters, it shows a structured and human-readable format, making it clear what you are signing.
Another key thing for OpenSea to implement will be further anti-phishing measures so that this would not happen in the future. Most crypto exchanges already have these measures implemented. Most of the industry has caught up to the problem to prevent such things in the future.
The future of OpenSea
It is clear to most of the community that OpenSea is not the one to blame here. The NFT owners fell victim to those phishing emails which makes us remind again to always double-check whatever information you receive. This hack is not expected to have a material impact on the platform.
The average volumes have gone down about 30% over the past week, however that comes with an overall drop in the crypto markets due to macroeconomic events.
Lossless is the world’s first DeFi hack mitigation tool for token creators. Apart from our known cyber security solutions and renowned professionals, the community also plays a role. With a tangible reward system, community members are also encouraged to explore new ways to detect hacks and fraudulent transactions.
Our protocol halts counterfeit transactions through various methods of fraud identification and automatically reverses any stolen tokens back to the original owner. Our solutions to the impending problems of cyber theft within the blockchain space are thorough and applicable within many protocols.