marketplace OpenSea is investigating a “phishing attack” that has left more than two dozen of its users without access to some of their most valuable digital tokens. On late Saturday evening, panic hit the platform when someone stole hundreds of NFTs.
We have confidence that this was a phishing attack. We don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users. Specifically:
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Over several hours that afternoon, the attacker targeted 32 accounts and obtained 254 tokens, according to a compiled by Blockchain security service PeckShield. Among the stolen NFTs are tokens from the and collections. One estimate by , the creator of the , pegged the haul at 641 Ethereum (approximately $1.7 million at the time of this article).
“We have confidence that this was a phishing attack,” , the co-founder and CEO of OpenSea, in a posted early Sunday morning. “We don’t know where the phishing occurred, but we’ve been able to rule out a number of things based on our conversations with the 32 affected users.”
According to Finzer, OpenSea determined its website was not a vector for the attack, nor did someone exploit a previously unknown vulnerability in the platform’s NFT minting, buying, selling and listing features. “Interaction with an OpenSea email is not a vector for attack,” said Finzer. “In fact, we are not aware of any of the affected users receiving or clicking links in suspicious emails.”
We’ve reached out to OpenSea for comment.
Attacker calls their own contract with calldata including the valid order AND address + transfer calldata for all the NFTs the target has approved on the wyvern (opensea) contract.
— Neso (@Nesotual) February 20, 2022
As noted by , the attack likely took advantage of an aspect of . Many Web3 platforms, including OpenSea, use the open-source standard to underpin their contracts. One suggests those targeted in the phishing campaign may have signed a partial agreement that allowed the attacker to transfer the NFTs without any Ethereum changing hands. , Finzer said it presented a scenario that was “consistent with our current internal understanding” of the situation.
While there’s still much about the attack we don’t know, what is clear is that it couldn’t have come at a worse time for OpenSea. On Friday, the company introduced a and asked people to migrate their assets. It has also been the subject of recent controversy, first starting with an employee who resigned for to profit on NFT drops and then more recently over the prevalence of tokens that are fake, plagiarized or spam on its platform.