Hackers reportedly stole hundreds of non-fungible tokens (NFTs) from users of NFT marketplace OpenSea over the weekend, including NFTs from popular collections like Decentraland and Bored Ape Yacht Club.
The Verge reports that over the weekend, hackers stole hundreds of NFTs from the popular OpenSea marketplace. According to a spreadsheet compiled by the blockchain security device PeckShield, 254 tokens were stolen in the attack including some from popular collections like Decentraland and the Bored Ape Yacht Club.
NFT band “Kingship” (UMG)
NFT art gallery (TIMOTHY A. CLARY /Getty)
The attacks took place between 5:00 p.m. and 8:00 p.m. ET on Saturday and appeared to target 32 users. It has been estimated that the total value of the tokens is around $1.7 million. The attack seems to have exploited a bug in the Wyvern Protocol, which is the open-source standard used by most NFT smart contracts.
How the attack happened is still not fully understood, but experts are speculating on how the crooks got their hands on the digital goods. According to one popular theory, targeted users signed a partially complete contract with a general authorization and multiple sections left blank. Once the signature was in place, attackers completed the contract with a call to their own contract, transferring ownership of the NFTs without payment. In real-world terms, the partial contract is the equivalent of handing a stranger a check that has been signed and dated with all other fields left blank. Much as a crook may finish the check and cash it, the hackers completed the contract information to transfer ownership of NFTs at no cost.
OpenSea CEO Devin Finzer shared a post explaining the possible exploit used:
For more technical context, this thread (https://t.co/oHGgA3wLHP) is consistent with our current internal understanding.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
The Twitter user Neso commented: “I checked every transaction. They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”
Attacker calls their own contract with calldata including the valid order AND address + transfer calldata for all the NFTs the target has approved on the wyvern (opensea) contract.
— Neso (@Nesotual) February 20, 2022
Finzer commented that OpenSea would be updating users with more information when possible. “We’ll keep you updated as we learn more about the exact nature of the phishing attack,” said Finzer. “If you have specific information that could be useful, please DM @opensea_support.”
Read more at the Verge here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address lucasnolan@protonmail.com
COMMENTS
Please let us know if you're having issues with commenting.