Another attack on users of the NFT marketplace OpenSea emerged yesterday February 20th. As reported by CryptoSlate, the CEO of the NFT marketplace, Devin Finzer, tweeted that it’s likely a phishing attack and not connected to the platform directly. However, he pointed out that investigations were still ongoing.
Blockchain records show that hackers were able to get access to users’ wallets and steal several NFTs. So far, NFTs stolen include Bored Apes, Mutant Apes, and several other popular collections. The attacker stole close to $2 million worth of NFT.
The gist of the modus operandi of the attacker is that the attacker launched a smart contract on the Ethereum blockchain over a month prior to the actual thefts. It’s evident that the attacker was planning the operation well in advance. The attacker then sent several users emails urging them to move their NFTs from an old OpenSea smart contract to a new one; the new contract was developed to address bugs discovered after an earlier attack.
Attacker mimicked a genuine OpenSea email
OpenSea did send a genuine email to users asking them to transition their NFTs to the new contract. The attacker imitated the OpenSea email, but with links pointing to the attacker’s smart contract.
This false contract, in turn, initiated signing of open sell orders of users’ NFTs, which the attacker collected without making any rushed attempt to steal the NFTs. These NFTs were up for sale, and the attacker used a very obscure signing message, difficult for users to interpret correctly. The signature essentially sold the NFTs for zero ether (ETH) to the attacker.
In a follow-up tweet, OpenSea CTO Nadav Hollander shared a technical run-down of the phishing attacks targeting OpenSea users.
“All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing,” Hollander tweets.
According to Hollander, None of the malicious orders were executed against the new Wyvern 2.3 contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow. A Wyvern contract is a decentralized digital asset exchange protocol running on Ethereum, and utilized by OpenSea to facilitate NFT trading on its platform.
“32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue. This information, coupled with our discussions with impacted users and investigation by security experts, suggests a phishing operation that was executed ahead of the deprecation of the [older and buggy] 2.2 contract given the impending invalidation of these collected malicious orders,” Hollander tweets.
New contract supports EIP-712 typed data payloads
The new 2.3 version of the Wyvern contracts implement the Ethereum Improvement Proposal (EIP) 712, which among other things supports so-called typed data payloads which makes it much more difficult for bad actors to trick someone into signing an order without realizing it.
The phishing email sent by the attacker told users to sign a message to login on OpenSea and migrate sell orders to the new Opensea Wyvern 2.3 contract. Instead, users signed a private sale for zero ETH of the NFTs to the attacker. The attacker then executed the smart contract function to steal the NFTs before their listings expired. The attacker was able to do so because he had saved the user’s signature.
Additionally, as explained in a tweet by smart contract developer “foobar”, the attacker was able to steal the NFTs in batches, not needing to make the sales one by one.
“A single malicious signature can rug all [foobar’s emphasis] of your approved OpenSea NFTs. No need to sign an individual sell order for each one, as originally assumed,” foobar tweets. Normally, the atomicMatch_()-function in the smart contract is invoked ...