OpenSea the NFT marketplace is investigating a “phishing attack” after two dozen users lost access to their tokens.
Over several hours that afternoon, the attacker targeted 32 accounts and obtained 254 tokens, according to a spreadsheet compiled by Blockchain security service PeckShield. Among the stolen NFTs were tokens from the Bored Ape Yacht Club and Azuki collections. An estimate by Molly White, the creator of the Web3 is Going Great blog, put the price at 641 Ethereum (about $1.7 million at the time of this article).
“We are convinced this was a phishing attack,” said Devin Finzer, co-founder and CEO of OpenSea, in a tweet early Sunday morning. “We don’t know where the phishing occurred, but we were able to rule out a number of things based on our conversations with the 32 affected users.”
According to Finzer, OpenSea determined that its website was not a vector for the attack, and that no one exploited a previously unknown vulnerability in the platform’s typing, buying, selling and NFT quoting features. “Interacting with an OpenSea email is not an attack vector,” Finzer said. “In fact, we don’t know if affected users receive or click on links in suspicious emails.”
As The Verge noted, the attack likely took advantage of an aspect of the Wyvern protocol. Many Web3 platforms, including OpenSea, use the open source standard to back up their contracts. A Twitter feed suggests that those targeted in the phishing campaign may have signed a partial agreement allowing the attacker to transfer NFTs without any Ethereum changing hands. Linking to the thread, Finzer said it presented a scenario “consistent with our current internal understanding” of the situation.
While there is still much about the attack that we don’t know, what is clear is that it could not have come at a worse time for OpenSea. On Friday, the company introduced a new smart contract and asked people to migrate their assets. It has also been the subject of recent controversy, first with an employee resigning for using inside information to profit from NFT drops, and then more recently over the prevalence of fake, plagiarised or spammed tokens on its platform.