- Hackers stole millions of dollars worth of NFTs from OpenSea users over the weekend.
- Hackers are believed to have tricked users into authorizing transactions and depleted wallets through sophisticated phishing attacks.
- There are a few steps to follow to reduce your chances of falling victim to such an incident with Web3.
share this article
Hackers stole millions of dollars worth of NFTs from OpenSea users over the weekend. This incident highlights the importance of operational security in Web3.
OpenSea hack highlights security risks
On February 19th, multiple OpenSea users reported having depleted their wallets of valuable NFTs from collections such as Bored Ape Yacht Club and Azuki. The total cost of the haul was estimated at about $3 million. The next day, OpenSea said it believed the root cause was a phishing attack that originated “outside OpenSea.”
of attack We targeted 32 users. They are believed to have been tricked into clicking a malicious link and signing a rogue smart contract that gives them permission to transfer the NFTs to another wallet. As a result, hackers were able to exfiltrate over 250 NFTs in a matter of hours.
OpenSea utilizes off-chain signatures to execute gasless transactions on behalf of users. The user does not need to be online to fill her NFT orders as they can be executed automatically. Hackers are believed to have tricked victims into signing transactions with Wyvern, the NFT exchange protocol used by OpenSea.
Posted by an anonymous Solidity developer known as foobar storm of tweets Persuading victims to sign code follows an incident in which they said victims signed malicious code that allowed them to eject NFTs to hacker-controlled “target addresses.” To do so, victims are believed to have masqueraded as OpenSea via email or other forms of communication.
This incident highlights the need to be careful when signing smart contract transactions. It also serves as a reminder of the importance of educating users about the risks found around every corner of Web3 and the threats within the evolving landscape. To reduce the risk of falling victim to such attacks, there are a few steps active Web3 users can take to protect themselves.
As a first step in securing your NFTs and other crypto assets, it’s important to know how to revoke the permissions associated with your crypto wallet. Phishing attacks like the OpenSea hack are a big concern, as signing just one malicious signature can lead to the loss of all NFTs stored in your wallet. If you trade on OpenSea and allow off-chain signing in your Wyvern Exchange V1 contracts, revoking authorization to use funds is one way to mitigate the risk of hackers exfiltrating your contract funds.
Users can revoke wallet permissions by going to Token Approval Visit the Etherscan page, connect your wallet, and find the token authorization for each application your wallet interacted with.
avoid blind signing
Following the OpenSea hack, Nadav Hollander, the company’s chief technology officer, said: storm of tweets A valid signature from the victim was exploited in a Wyvern V1 contract (before OpenSea moved to Wyvern V2.3). The user “somewhere, at some point, signed the order,” he said. This suggests that the victim may have inadvertently signed a malicious contract.
In the past, crypto-phishing attacks have tricked users into entering a wallet seed phrase, allowing hackers to access wallets and steal funds. In some cases, hackers get permission to spend funds by luring users with fake airdrops. Her most recent OpenSea incident was different because the hackers attempted multiple collectors at once. In addition to being careful with seed phrases, it indicates that users should be careful signing off-chain messages and interacting with suspicious contracts.
Once the signature is signed, a third party can use the funds on your behalf, even if the funds are held in a hardware wallet. Therefore, it is important that users exercise caution when running her Gasless signatures in OpenSea and other applications. Some blockchain experts recommend not approving all blind signatures.
such a signature Only hex code that appears as an Ethereum address only. We do not provide additional details about the transaction. EIP-712 SignatureHowever, it is clearer because it shows the complete transaction data related to the time of the signature request. per hollanderthe EIP-712 format that comes with the recently migrated OpenSea contracts “makes it much more difficult for a malicious person to trick someone into signing an order unknowingly.”
Beware of Mixing Web3 and Email
Multiple reports of phishing email campaigns have surfaced in connection with the OpenSea incident. The hacker is believed to have sent an email masquerading as OpenSea prompting him to approve moving the NFT list to his new Wyvern contract. After clicking through, the user apparently signed a transaction that gave the hackers permission to empty the wallet.
thanks to the rise of deepfake email, Hackers have found a way to send emails that look like arbitrary email domains. User should be aware of all emails requesting transactions from MetaMask or any other of her Web3 wallets. Even if it comes from an official source. One of the best operational security tips is that he does not interact with Web3 applications using links posted via email or social media. In fact, we advise against clicking on crypto-related links unless they are from official sources.
In addition to being careful when signing transactions and avoiding phishing attacks, there are other steps crypto users can take to stay protected. For example, we recommend moving high-value assets such as NFTs to cold storage devices that do not interact with applications. You can read more about how to protect NFTs from hackers here. Beginner’s guide Features.