OpenSea Phishing Attack

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

OpenSea

Multiple users on the OpenSea platform were the subject of a phishing attack, from an unknown vector. OpenSea is still investigating, and hasn't been able to determine the cause. It is reported that some of the NFT tokens were returned by the attacker, while others were sold, and the proceeds mixed through TornadoCash.

This is a global/international case not involving a specific country.

About OpenSea

"The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital items." "Discover, collect, and sell extraordinary NFTs. OpenSea is the world's first and largest NFT marketplace."

"As the first and largest marketplace for Non-Fungible Tokens and Semi-Fungible Tokens, OpenSea provides a first-in-class developer platform consisting of an API, SDK, and developer tutorials. Feel free to browse around and get acclimated with developing smart contracts and interacting with NFT data."

"Fascinated by the [CryptoKitties] movement that was forming, Devin Finzer and Alex Atallah joined early adopter communities in Discord and started talking to users. With the OpenSea beta launch in December 2017, the first open marketplace for any non-fungible token on the Ethereum blockchain was born."

"Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, providing a simple interface for users to list, browse, and bid on tokens without interacting directly with the blockchain."

"The Zhifan security team analyzed and found that [a] hacker address 0x3E0…8A74 created a smart contract 0xa2…45bD at 9:31:12 (UTC) on January 22, one month ago."

"Panic erupted on February 19 as a few users saw their wallets emptied of valuable NFTs without knowing why, and many others feared the same could happen to them." "[A]ttackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base. A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club, with the bulk of the attacks taking place between 5PM and 8PM ET."

"A number of users posted a warning on Twitter this morning that the new migration contract launched by OpenSea yesterday was suspected of having a bug, and the attacker used the bug to steal a large amount of NFT and sell more than 0 ~$3.4 million) NFTs, most of which have been deposited in TornadoCash." "Early explanations blamed a new contract that OpenSea had rolled out, or an airdrop from a new NFT marketplace called X2Y2. People urged NFT owners to revoke permissions for both the OpenSea contract and for X2Y2 until more was known, although one of the most popular websites helping people do so went down shortly after from the high traffic."

"OpenSea was in the process of updating its contract system when the attack took place, but OpenSea has denied that the attack originated with the new contracts. The relatively small number of targets makes such a vulnerability unlikely, since any flaw in the broader platform would likely be exploited on a far greater scale."

"An hour and a half after users began to report missing NFTs, OpenSea finally acknowledged the issue. They tweeted that they were "actively investigating rumors of an exploit associated with OpenSea related smart contracts", and wrote that they believed it was a phishing attack coming from outside of OpenSea, rather than an issue with their contract."

"It was later determined that an attacker had successfully phished 17 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them."

"The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings."

“I checked every transaction,” said [one] user, who goes by Neso. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”

"Hackers return most of the unsold NFTs to victims." "Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million."

"OpenSea co-founder and CEO Devin Finzer confirmed the phishing attack in a tweet." "Afterwards, Devin Finzer confirmed that this was a “phishing attack”, but it has not been possible to verify where the “phishing” occurred. The only thing that can be confirmed after investigation is that the phishing attack did not come from the inside of the OpenSea website."

"Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million." "OpenSea initially said 32 users had been affected, but later revised that number to 17, saying 15 of the initial count had interacted with the attacker but not lost tokens as a result."

"[M]any details of the attack remain unclear — particularly the method attackers used to get targets to sign the half-empty contract. Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered."

"We're reaching out to the folks who reported this to investigate. Please continue to be vigilant when prompted with a wallet signature."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - OpenSea Phishing Attack
Date	Event	Description
February 19th, 2022 6:38:00 PM	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $3,400,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?