OpenSea Phishing Attack: Difference between revisions

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

OpenSea Homepage/Logo

Several OpenSea users reported that NFTs had disappeared from their accounts. A total of 254 different NFTs were taken from 17 separate accounts, including valuable Decentraland and Bored Ape Yacht Club NFTs. OpenSea posted an official tweet to community that they are investigating the situation and believe that it's a phishing attack. It is unclear if any of the funds have been recovered.

^{[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]}

About OpenSea

"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."

"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."

"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."

"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."

Homepage:^[19]

About:^[20]

Documentation:^[21]

Frequently Asked Questions:^[22]

YouTube Promotion:^[23]

Explanation of NFTs:^[24]

The Reality

While self-custody is incredibly powerful, great power requires great responsibility. Users need to educate themselves on how to properly secure their funds. The cleverness of phishing attackers is not to be underestimated.

What Happened

On February 19th, 2022, a handful of OpenSea users reported that valuable NFTs had been stolen from them. Many others feared that the same fate could happen to them - and it could, if they fell for the same phishing attack. This was one of the most successful phishing attacks against OpenSea users with 254 NFTs taken from 17 different users, including valuable Decentraland and Bored Ape Yacht Club NFTs. The bulk of the attacks took place between 5PM and 8PM Eastern Time.

Technical Details

The Wyvern smart contract which governs OpenSea swaps is highly flexible, and can be used for more complex order types than just transferring a single NFT. The attacker created a malicious smart contract, which authorized the attacker to have access to all the NFTs in any wallet which approved the contract. Through a phishing campaign, they then tricked 17 users into authorizing that smart contract. This allowed them to acquire 254 different NFTs, many of which were liquidated.

Creation of Smart Contract

"The Zhifan security team analyzed and found that [a] hacker address 0x3E0…8A74 created a smart contract 0xa2…45bD at 9:31:12 (UTC) on January 22, one month ago."

"The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings."

Phishing Campaign Launched

"[M]any details of the attack remain unclear — particularly the method attackers used to get targets to sign the half-empty contract. Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered."

The "attacker had successfully phished 17 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them."

Twitter user @NadavAHollander explains the exploit further:

"None of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow."

Unclear: ^[37]

Neso Technical Analysis

Twitter user Nesotual was one of the first to publish a technical analysis of the exploit^[29]. Their explanation was shared by OpenSea co-founder Devin Finzer in his initial tweet^[32].

Seen confusion about the OS thing so.

Attacker had people sign half of a valid wyvern order, the order was basically empty except the target (attacker contract) and calldata, attacker signs other half of order.

Attacker calls their own contract with calldata including the valid order AND address + transfer calldata for all the NFTs the target has approved on the wyvern (opensea) contract.

The nft address + transfer calldata is saved then the signed order is sent to the wyvern contract atomicmatch, it checks the orders is valid (it is) and signatures are correct for the maker and taker (they are)

Now wyvern is past order validation, it calls the proxy contract your OS approvals are on, then that delegatecalls the target contract (attacker) with the calldata in the order (the target and calldata in most orders is the NFT you're buying/selling and the transferFrom call)

in this case it goes back to a different function in the attacker contract that then loops the previously saved transfer calldata + token addresses in the context of the proxy contract that has the user approvals.

All nfts gone GG. I checked every tx, they all have valid signatures from the people who lost NFTs so anyone claiming they didn't get phished but lost NFTs is sadly wrong.

The wyvern contracts are extremely flexible, opensea validates orders on their frontend/api to ensure what you're signing will function as expected, but the same contracts can still be used by others with more complex orders like this that if you sign can take everything approved

Nadav Hollander Technical Analysis

Nadav Hollander published a technical analysis of the phishing attack^[34].

1) Sharing a technical run-down of the phishing attacks targeting @OpenSea users, including some web3 technical education.

2) After reviewing the malicious orders, the following data points stand out:

- All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing.

- None of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow.

- 32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue.

3) This information, coupled with our discussions with impacted users and investigation by security experts, suggests a phishing operation that was executed ahead of the deprecation of the 2.2 contract given the impending invalidation of these collected malicious orders.

4) Prior to the current phishing scam, part of why we elected to implement EIP-712 on the new contract is that EIP-712’s typed data feature makes it much more difficult for bad actors to trick someone into signing an order without realizing it.

5) For example, if you are signing a message to join a whitelist, a raffle, or a token-gated discord group and you're presented with a typed data payload referencing Wyvern (the protocol used by OpenSea), it's much more likely to alert you to something unusual going on.

6) Education on not sharing seed phrases or submitting unknown transactions has become more widespread in our space. However, signing off-chain messages requires equal consideration.

7) We as a community must move to standardizing off-chain signatures using EIP-712 typed data or other agreed-upon standards like EIP-4361 (the "Sign in with Ethereum" method).

8) On this point, you'll notice that all new orders signed on OpenSea (including migrated orders) use the new EIP-712 format — a change of any kind is understandably scary, but this change actually makes signing much safer as you can better see what you're signing.

9) Big shoutout to @nesotual, @dguido, @quantstamp, and many others for providing detailed information on the nature of the attack to the community.

10) Additionally, even though it appears the attack was made from outside OpenSea, we are actively helping affected users and discussing ways to provide them additional assistance.

Total Amount Lost

There were reported losses of 254 NFTs across 17 different user accounts, including highly valuable Decentraland and Bored Ape Yacht Club NFTs.

List of NFTs Taken

Loss Estimates

Web3isGoingGreat^[31] and Devin Finzer^[32] originally estimated the loss at $1.7m, however later revised the estimate to $2.9m^[30].

"Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million." "OpenSea initially said 32 users had been affected, but later revised that number to 17, saying 15 of the initial count had interacted with the attacker but not lost tokens as a result."

SlowMist estimated the loss amount at $3.4m^[39].

A list of stolen NFTs has been published on a Google Sheet^[40], however the list has subsequently been removed^[41].

The total amount lost has been estimated at $3,400,000 USD.

Immediate Reactions

"Panic erupted on February 19 as a few users saw their wallets emptied of valuable NFTs without knowing why, and many others feared the same could happen to them." "[A]ttackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base. A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club, with the bulk of the attacks taking place between 5PM and 8PM ET."

"A number of users posted a warning on Twitter [on the] morning [of February 19th] that the new migration contract launched by OpenSea yesterday was suspected of having a bug, and the attacker used the bug to steal a large amount of NFT and sell more than 0 ~$3.4 million) NFTs, most of which have been deposited in TornadoCash." "Early explanations blamed a new contract that OpenSea had rolled out, or an airdrop from a new NFT marketplace called X2Y2. People urged NFT owners to revoke permissions for both the OpenSea contract and for X2Y2 until more was known, although one of the most popular websites helping people do so went down shortly after from the high traffic."

"An hour and a half after users began to report missing NFTs, OpenSea finally acknowledged the issue. They tweeted that they were "actively investigating rumors of an exploit associated with OpenSea related smart contracts", and wrote that they believed it was a phishing attack coming from outside of OpenSea, rather than an issue with their contract."

Devin Finzer Initial Tweet

In an initial tweet, Devin Finzer, co-founder of OpenSea, addressed some concerns. According to Finzer, the incident seems to be a phishing attack, not directly connected to the OpenSea website. Approximately 32 users fell victim to the attack, signing a malicious payload, resulting in the theft of some NFTs. The attack appears inactive for the past two hours, and some stolen NFTs have been returned. OpenSea is conducting an investigation and urges affected users to reach out for assistance. Finzer emphasized the importance of verifying interaction with the official OpenSea website and dispelled rumors of a $200 million hack, clarifying that the attacker holds $1.7 million worth of ETH from selling stolen NFTs^[32].

I know you’re all worried. We’re running an all hands on deck investigation, but I want to take a minute to share the facts as I see them:

As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.

The attack doesn’t appear to be active at this point — we haven’t seen any malicious activity from the attacker’s account in 2 hours. Some of the NFTs have been returned.

We are not aware of any recent phishing emails that have been sent to users, but at this time we do not know which website was tricking users into maliciously signing messages.

Always double check that you are interacting with https://opensea.io in your browser when you sign messages.

If you are an affected user, please DM @opensea_support so that we can thoroughly investigate — we’d love your help.

For more technical context, this thread is consistent with our current internal understanding.

If you are concerned and want to protect yourself, you can un-approve access to your NFT collection [via EtherScan's token approval checker].

Importantly, rumors that this was a $200 million hack are false. The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.

Tweet From OpenSea

^[18]

Our leadership, engineering, and security teams are communicating with affected users to gather details. We continue to believe that this is a phishing attack that originated outside of http://opensea.io.

We’ve seen a lot of uncertainty from the community, so we want to be clear on three points:

1. This appears to be an isolated incident impacting a small number of people.

2. The attack does not appear to be email-based.

3. The migration tool is safe to use. For more information about this tool, read our help center article: https://support.opensea.io/hc/en-us/articles/4433163594643-Smart-Contract-Upgrade-How-to-Migrate-Your-Item-Listings

If you have specific information that could be useful, please DM @opensea_support.

"OpenSea was in the process of updating its contract system when the attack took place, but OpenSea has denied that the attack originated with the new contracts. The relatively small number of targets makes such a vulnerability unlikely, since any flaw in the broader platform would likely be exploited on a far greater scale."

“I checked every transaction,” said [one] user, who goes by Neso. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”

"OpenSea co-founder and CEO Devin Finzer confirmed the phishing attack in a tweet." "Afterwards, Devin Finzer confirmed that this was a “phishing attack”, but it has not been possible to verify where the “phishing” occurred. The only thing that can be confirmed after investigation is that the phishing attack did not come from the inside of the OpenSea website."

On official statement was released by OpenSea at the time.

"Our leadership, engineering, and security teams are communicating with affected users to gather details. We continue to believe that this is a phishing attack that originated outside of http://opensea.io."

Community Reactions

There were several reactions on Twitter^[38].

Are you guys doing anything to help make this right with customers like me that lost our NFTs???

Ultimate Outcome

Most of the unsold NFTs were returned to victims. In addition, one victim received an "inexplicabl[e]" payment of 50 ETH ($130,000) from the attacker.

1,115 ETH, worth an estimated $2.9m, were transferred from the attacker to a cryptocurrency tumbler.

The attacker's wallet address has been flagged on Etherscan^[42].

Total Amount Recovered

Most of the unsold NFTs were returned to victims, with some returns starting almost immediately^[32]. In addition, one victim received an "inexplicabl[e]" payment of 50 ETH ($130,000) from the attacker.

"Hackers return most of the unsold NFTs to victims." "Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million."

The total amount recovered has been estimated at $1,700,000 USD.

Ongoing Developments

"[M]any details of the attack remain unclear — particularly the method attackers used to get targets to sign the half-empty contract. Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered."

"We're reaching out to the folks who reported this to investigate. Please continue to be vigilant when prompted with a wallet signature."

Individual Prevention Policies

This situation appears to be related to targeted phishing attacks against OpenSea users. Users in the DeFi space need to exercise a high degree of caution in all communications to ensure that they are coming from the claimed sender. Users should ensure they are aware of which actions which could place their funds at risk. Signing of any smart contract from an unaudited source is not a good idea, particularly a partially formed smart contract. Storing most NFTs offline can prevent them from being lost in the event of a breach.

Set up separate email addresses for each service, and avoid providing your phone number whenever possible. Any received emails or phone calls must be viewed with scrutiny, especially if unsolicited. Interact with companies only through their official websites and confirm anything with the company directly via multiple official sources, especially if it promises a significant incentive to take an action or threatens access to your funds if an action is not taken. It would be recommended to also establish a network of multiple trusted individuals who use the same services and have a strong level of security knowledge.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

The primary defense against phishing is better education for users. Ensure that users have an understanding of the risks and strategies to protect themselves.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

In the event that a user falls for a phishing attack, an industry insurance fund could assist.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

The primary defense against phishing is better education for users. Ensure that users have an understanding of the risks and strategies to protect themselves.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

In the event that a user falls for a phishing attack, an industry insurance fund could assist.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

Cite error: <ref> tag with name "slowmist-2069" defined in <references> is not used in prior text.