Wow! NFT Worth USD 1.7 million Stolen from OpenSea Users

 


Last Saturday (19/2) hundreds of NFTs were stolen from OpenSea users, which then caused mass panic among the site's users.

According to PeckShield, a blockchain security service provider, 254 tokens were stolen in the attack, including tokens from Decentraland and the Bored Ape Yacht Club.


The attack took place between 5 p.m. and 8 a.m. Eastern Time, targeting 32 users. Molly White, owner of the blog Web3 is Going Great, estimated the total value of the stolen tokens at more than USD 1.7 million.




This attack is thought to exploit flexibility in the Wyvern Protocol, which is the open source standard used in almost all NFT smart contracts, including OpenSea.



The process is more or less like this: first, the perpetrator signs a partial contract, with general authorization and the remainder is left blank. With the signature, the perpetrator can complete his contract with a call to his own contract, which will transfer ownership of the NFT without the need to make a payment.



Basically, the victim of this attack is like signing a blank check, which is then filled in by the perpetrator to seize ownership of the token.


"I checked all transactions. All had valid signatures of the people who lost the NFT, so all of them claimed that they weren't phishing," explained a user named Neso, as quoted by us from The Verge.


OpenSea is one of the most prominent companies as the popularity of NFT grows, with a value of up to USD 13 billion. OpenSea provides its users with a simple interface, where they can search and bid for specific tokens without needing to interact with the blockchain.


Currently OpenSea is updating its contract system, but they have denied the allegation that the attack stems from the new contract. However, it is clear that much more detailed information from the attack is still unclear, especially the method used by the perpetrator to "force" the victim to sign the contract.


"We will continue to provide information once we understand the real cause of this phishing attack," OpenSea CEO Devin Finzer said on Twitter.

Previous Post Next Post

Contact Form