OpenSea has once again come to witness another security breach, this time in the form of an apparent phishing scandal. The attack, which saw the stealing of NFTs from Decentraland and Bored Ape Yacht Club collections, largely took place between the hours of 5PM and 8PM ET on Saturday 19th February.
A spreadsheet complied by blockchain security service PeckShield counted that 254 tokens were stolen from 32 users over the course of the attack, with the estimated value of the stolen goods amassing to around $1.7 million.
The attacks appear to have been facilitated by a flexibility in the Wyvern Protocol, the open source standard underlying most NFT smart contracts. OpenSea CEO Devin Finzer explained the attacks in two parts, where at first, he said targets would’ve signed a partial contract which left general authorisation and large portions left blank.
Secondly, and with such signature in place, he explained that attackers would’ve been able to complete the contract with a call to their own contract, which would therefore transfer ownership of the NFTs to them without payment needed. This essentially meant that targets of the attack had signed blank cheques, which attackers then filled in the rest before taking the holdings.
A Twitter user, who goes by the name of Neso addressed the occurrence in a Twitter thread, where they said: “I checked every transaction. They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong”.
This is not the first significant security issue that OpenSea has faced throughout its journey to becoming a $13 billion-valued platform, as in the past, it has bared witness various attacks which leveraged elements such as old contracts and poisoned tokens.
Despite OpenSea being in the process of updating its contract system when the attacks took place, the platform has denied that the attacks originated from new contracts. This can perhaps be backed up by the fact that a relatively small number of users were successfully targeted in the event. Finzer also wrote on Twitter that the attacks had not originated from OpenSea’s website, its various visiting systems, or any emails from the company.