TECH: TOKEN OUT
OpenSea the NFT marketplace is investigating a “phishing attack” after two dozen users lost access to their tokens.

OpenSea the NFT mar­ket­place is inves­ti­gat­ing a “phish­ing attack” after two dozen users lost access to their tokens.

Over sev­er­al hours that after­noon, the attack­er tar­get­ed 32 accounts and obtained 254 tokens, accord­ing to a spread­sheet com­piled by Blockchain secu­ri­ty ser­vice Peck­Shield. Among the stolen NFTs were tokens from the Bored Ape Yacht Club and Azu­ki col­lec­tions. An esti­mate by Mol­ly White, the cre­ator of the Web3 is Going Great blog, put the price at 641 Ethereum (about $1.7 mil­lion at the time of this article).

“We are con­vinced this was a phish­ing attack,” said Devin Finz­er, co-founder and CEO of OpenSea, in a tweet ear­ly Sun­day morn­ing. “We don’t know where the phish­ing occurred, but we were able to rule out a num­ber of things based on our con­ver­sa­tions with the 32 affect­ed users.”

Accord­ing to Finz­er, OpenSea deter­mined that its web­site was not a vec­tor for the attack, and that no one exploit­ed a pre­vi­ous­ly unknown vul­ner­a­bil­i­ty in the plat­for­m’s typ­ing, buy­ing, sell­ing and NFT quot­ing fea­tures. “Inter­act­ing with an OpenSea email is not an attack vec­tor,” Finz­er said. “In fact, we don’t know if affect­ed users receive or click on links in sus­pi­cious emails.”

As The Verge not­ed, the attack like­ly took advan­tage of an aspect of the Wyvern pro­to­col. Many Web3 plat­forms, includ­ing OpenSea, use the open source stan­dard to back up their con­tracts. A Twit­ter feed sug­gests that those tar­get­ed in the phish­ing cam­paign may have signed a par­tial agree­ment allow­ing the attack­er to trans­fer NFTs with­out any Ethereum chang­ing hands. Link­ing to the thread, Finz­er said it pre­sent­ed a sce­nario “con­sis­tent with our cur­rent inter­nal under­stand­ing” of the situation.

While there is still much about the attack that we don’t know, what is clear is that it could not have come at a worse time for OpenSea. On Fri­day, the com­pa­ny intro­duced a new smart con­tract and asked peo­ple to migrate their assets. It has also been the sub­ject of recent con­tro­ver­sy, first with an employ­ee resign­ing for using inside infor­ma­tion to prof­it from NFT drops, and then more recent­ly over the preva­lence of fake, pla­gia­rised or spammed tokens on its platform.