Crypto enthusiasts awoke Sunday morning to find several valuable non-fungible tokens missing from their digital wallets. A scammer on the NFT marketplace OpenSea managed to bypass the site’s security and pilfer unique tokens from hundreds of users. According to the victims, the scammer stole millions of dollars worth of NFTs.
OpenSea’s co-founder and CEO, Devin Finzer, denies that the attack was a hack. He instead insists that it was a phishing scam. Some enthusiasts online think that Finzer is characterizing the attack as a phishing endeavor to shift blame away from OpenSea’s digital security and blame users for being careless with their login credentials.
“As far as we can tell, this is a phishing attack,” Finzer wrote on Twitter on Saturday. “We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”
What is OpenSea?
OpenSea is a popular NFT exchange platform that has become one of the most valuable companies in the recent crypto boom. It draws in new users by allowing them to browse and purchase NFTs without requiring knowledge of the blockchain or other Web 3.0 technologies. Investors reportedly value OpenSea at $13 billion, underscoring NFTs’ sudden popularity.
OpenSea CEO David Finzer tweeted on Saturday that the attack only lasted for a few hours and targeted a small selection of users on the exchange. “The attack doesn’t appear to be active at this point — we haven’t seen any malicious activity from the attacker’s account in 2 hours. Some of the NFTs have been returned,” Finzer continued, highlighting the scammer’s unusual theft pattern.
“We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures,” he went on. “Huge thanks to the users that hopped on the phone with us directly.”
Some OpenSea users dispute Finzer’s account, however, and argue that they didn’t fall for any phishing attempts. They say that they never opened any emails nor handed their login information to any unusual websites. The defrauded users share one trait in common: they all recently migrated their NFT collections to OpenSea’s new smart contract. Ironically, OpenSea implemented this smart contract to prevent hackers from accessing users’ valuable NFTs.
The hacker confused victims and commentators alike by returning some of the stolen tokens to their original owners. Web3 is Going Great reports the hacker even gave one victim 50 Ether, which is worth roughly $130,000, in addition to returning their stolen NFTs.
Signing a Blank Check
The Verge writes that the hacker employed a partial contact strategy, tricking victims into applying their digital signature to an uncompleted contract. Once the thief had the victims’ signatures, they completed the contract and added stipulations that would transfer NFTs from the signatories’ accounts into their own. In essence, the victims signed blank checks and then handed them to a stranger.
A user named Neso on Twitter explained how the vulnerability in the site’s new Wyvern Protocol allowed the attacker to access the tokens. They also concluded that the OpenSea users fell victim to the attack by carelessly signing a contract. “I checked every transaction. They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”
It’s difficult to estimate how valuable NFTs are, given they have no inherent value and are only “worth” what another enthusiast is willing to pay. However, the scammer sold most of the stolen tokens on OpenSea, filling their digital wallet with $1.7 million worth of Ether in a matter of hours.
Isn’t the Blockchain Secure?
The blockchain technology that underpins Web 3.0 is supposed to be secure and immutable. Anyone can read transactions on the blockchain, so any cryptocurrency movement should be traceable. When crypto enthusiasts pitch the technology, they often point to the blockchain’s impartial, decentralized nature as a selling point. However, that decentralization opens the door for savvy criminals to fool the algorithm.
Thieves can steal crypto or NFTs by forging authentic login information and then making legitimate-looking transactions over the blockchain. Once these exchanges are completed, there’s nothing the victims can do–the Ethereum and Bitcoin networks won’t allow you to reverse a prior transaction. After all, each exchange creates the foundation for the next block in the chain, so reversing them would cause chaos in all later transactions.
US lawmakers have proposed sweeping new regulations on Web 3.0 technology to bring the standard under the umbrella of the Securities and Exchange Commission. Such legislation would dramatically alter the crypto landscape, but it could make it easier for users to go after thieves and safeguard their digital assets.