Last Saturday, Devin Finzer, co-founder and CEO of OpenSea—the “largest” non-fungible token (NFT) marketplace—tweeted to confirm of a phishing incident involving 254 stolen tokens. A hacker has tricked 32 victims into signing “a malicious payload” that authorised the transfer of their NFTs to the attacker for free.
“I know you’re all worried. We’re running an all hands on deck investigation,” said Finzer.
Blockchain security service PeckShield compiled the list of the 254 tokens stolen over the course of the attack, with an estimated value of more than USD 1.7 million (RM7.1 million). The tokens included tokens from Decentraland—a 3D virtual world where users can buy virtual plots of land in the platform as NFTs—and Bored Ape Yacht Club—which in one way or another resulted in this really creepy interview on Jimmy Fallon.
Finzer added that he doesn’t believe that the attack is “connected to the OpenSea website”. However, the attack occurred during OpenSea’s migration to its new Wyvern smart contract system—a “decentralized digital asset exchange protocol running on Ethereum”. The migration began on Friday and will only be completed by 25 February.
“The upgrade ensures that old, inactive listings expire, enables bulk cancellation with a single, low-cost transaction, and allows us to roll out new features like bulk cancellation and more descriptive signatures,” wrote Finzer.
Finzer also linked a Twitter thread explaining how the attack happened. The targets first signed a partial contract, with a general authorisation and large portions left blank. With their signatures, the attacker completed the contract on ther own, which allowed them to transfer ownership to the NFTs without payment. But this didn’t explain the method attackers used to get targets to sign the half-empty contract.
“We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures,” said Finzer.
Phishing incidents on the internet are sadly quite common, but it’s probably the first time I’m hearing about a major phishing incident involving something and new and lawless like NFTs. It’s always important to remember not to sign anything you don’t fully trust, or give any of your important information either.
[ SOURCE, IMAGE SOURCE ]
GXBank recently marked its second anniversary with more than one million Malaysians onboard, cementing its…
Realme has just launched a new budget-oriented mid-range smartphone in Malaysia, the Realme C85 5G.…
This post is brought to you by sooka. sooka pulled a lively crowd to Pavilion…
Infinix has just announced its strategic partnership with Pininfarina for its upcoming flagship smartphones, revealed…
During Proton's Tech Showcase, the national carmaker has also highlighted its digital and connected automotive…
Digital Nasional Berhad (DNB), Malaysia's first 5G network, will soon transform into a fully private…
This website uses cookies.