Last Saturday, Devin Finzer, co-founder and CEO of OpenSea—the “largest” non-fungible token (NFT) marketplace—tweeted to confirm of a phishing incident involving 254 stolen tokens. A hacker has tricked 32 victims into signing “a malicious payload” that authorised the transfer of their NFTs to the attacker for free.
“I know you’re all worried. We’re running an all hands on deck investigation,” said Finzer.
Blockchain security service PeckShield compiled the list of the 254 tokens stolen over the course of the attack, with an estimated value of more than USD 1.7 million (RM7.1 million). The tokens included tokens from Decentraland—a 3D virtual world where users can buy virtual plots of land in the platform as NFTs—and Bored Ape Yacht Club—which in one way or another resulted in this really creepy interview on Jimmy Fallon.
Finzer added that he doesn’t believe that the attack is “connected to the OpenSea website”. However, the attack occurred during OpenSea’s migration to its new Wyvern smart contract system—a “decentralized digital asset exchange protocol running on Ethereum”. The migration began on Friday and will only be completed by 25 February.
“The upgrade ensures that old, inactive listings expire, enables bulk cancellation with a single, low-cost transaction, and allows us to roll out new features like bulk cancellation and more descriptive signatures,” wrote Finzer.
Finzer also linked a Twitter thread explaining how the attack happened. The targets first signed a partial contract, with a general authorisation and large portions left blank. With their signatures, the attacker completed the contract on ther own, which allowed them to transfer ownership to the NFTs without payment. But this didn’t explain the method attackers used to get targets to sign the half-empty contract.
“We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures,” said Finzer.
Phishing incidents on the internet are sadly quite common, but it’s probably the first time I’m hearing about a major phishing incident involving something and new and lawless like NFTs. It’s always important to remember not to sign anything you don’t fully trust, or give any of your important information either.
[ SOURCE, IMAGE SOURCE ]
