The world’s largest NFTmarketplace Opensea has allegedly been hacked for millions of dollars worth of NFTs and everyone in the web3 NFT space is on red alert at the moment.
For those with high worth NFTs, their major concern has been how secure their digital assets are and reassuring all is in place.
For others, it is a bit confusing. The question on their minds is ‘is blockchain truly immutable?
A lot of others are just observing the situation from a distance to see how it eventually unfolds.
Irrespective of what part of the divide one is at, security is a matter of urgency and general concern.
As news about the alleged attack spread, opensea had to put out a red banner alert on their page immediately saying “We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of opensea.io.”
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
What Really Happened?
OpenSea announced a need to migrate to a new smart contract upgrade within a one-week deadline that fixes an issue of inactive NFTs listing on the platform.
The smart contract upgrade would require users to move their listed NFTs from ETH blockchain to a new smart contract.
Within hours after the upgrade announcement, reports spread like wildfire across multiple sources about an ongoing attack that targets the soon-to-be-delisted NFTs.
Many high-profile NFT users had begun speculating that malicious actors had leveraged the situation and started phishing people with a fake page designed to look like the one used to upgrade to that contract.
According to blockchain ledger history, the attacker was able to transfer numerous NFTs from different users to their addresses free of charge. The ill escapade affected users from very popular collections such as the Bored Ape Yacht Club, Mutant Ape Yacht Club, and several other popular collections.
Opensea denied the attack occurring on their platform while It has been confirmed that the hacker or group of hackers successfully launched a ‘phishing attack’ in which 32 users were affected with high-valued NFTs on OpenSea causing pandemonium in the NFT space. As the incident occurred, it sparked off a discussion on Twitter spaces with thousands of people engaged.
While the co-founder and CEO of Opensea, Devin Finzer, has denied rumours that the company’s platform was hacked in over $200 million theft, he admitted that investigation has shown it was far less with just over $1.7 million worth of ethereum in the scam rampage.
That doesn’t make it any bearable right?
Some Public Opinions
A user Jacob King rejected dFinzer and Opensea’s phishing attack as a cheap cover-up saying and showing a “flaw in Openseas’s codebase that actually led to the exploit’ according to him.
#OpenSea is now lying and claiming the exploit was actually just phishing emails people were receiving.
— Jacob King (@JacobOracle) February 20, 2022
Before Opensea revealed a figure on the attack, a user reportedly claimed over $200 Million in asset value was compromised.
BREAKING: Massive Opensea “exploit” in their new migration contract allowed users to sell, steal any NFT from any users.
Over $200M lost already.
— CryptoWhale (@CryptoWhale) February 20, 2022
Security researcher Dan Guido shared his disappointment in a tweet where he said that “the security of web3 platforms depend entirely on wallets with universally poor security UX, and there’s very little the platforms can do about it,” adding that, “in a strange win for transparency,” it was possible to see which NFTs have been stolen even.
In a strange win for transparency, even user-focused phishing attacks are public on the blockchain. Here's the unlucky 19 victims of tonight's attack:https://t.co/VOKFC6dGxu
— Dan Guido (@dguido) February 20, 2022
Meanwhile, dFinzer also retweeted a technical context of what transpired as shared by another Twitter user Neso and added that Opensea was working with users to track the sets of websites that they interacted with that might have been responsible for the malicious signatures.
For more technical context, this thread (https://t.co/oHGgA3wLHP) is consistent with our current internal understanding.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Opensea has also confirmed that some of the stolen NFTs have been returned.
Key Web 3 Security Concerns And Takeaways
Avoid Blind Signatures
A pseudonymous Solidity developer, Foobar, tweeted suggesting the victims had signed malicious code that allowed the hacker to move the NFTs to a “target address” they controlled. To convince them to sign the code, it is believed that they posed as OpenSea through an email or other communication medium.
Once a signature is signed, a third party can spend funds on one’s behalf even if the funds are held in a hardware wallet. Hence, it is crucial to be careful when executing gasless signatures on OpenSea or other applications or avoid it entirely.
Be Wary Of Links
Due to the rise of fake emails, hackers can send emails that look like any email domain they want. Web3 users should be wary of all emails that demand a transaction from MetaMask or any other Web3 wallet, even if it appears to be from an official source. It is even best practice to avoid interacting with Web3 applications using links posted via email or social media.
Learn To Revoke Permissions
The third step in securing your NFTs or other crypto assets is to know how to revoke permissions associated with your crypto wallet. This is important since signing only one malicious signature may result in the loss of every asset stored in your wallet. To revoke wallet permissions, go to the Token Approval page on Etherscan, connect the wallet, find the token approvals for each application the wallet has interacted with and disconnect appropriately.
It is also good to move high-value assets like NFTs to cold storage devices that do not interact with any applications.
What has happened is very unfortunate, however, it will prove a valuable lesson that improves security awareness and further exposes the intent of some malicious users of blockchain.
As CZ has said, education and continuous learning is the way forward.