Opensea phishing scandal reveals a security need across the NFT landscape

Published at: March 5, 2022

Despite the ongoing volatility plaguing the digital asset sector, one niche that has undoubtedly continued to flourish is the nonfungible token (NFT) market. This is made evident by the fact that a growing number of mainstream mover and shakers including the likes of Coca-Cola, Adidas, the New York Stock Exchange (NYSE) and McDonalds, among many others, have made their way into the burgeoning Metaverse ecosystem in recent months.

Also, owing to the fact that over the course of 2021 alone, global NFT sales topped out at $40 billion, many analysts expect this trend to continue into the future. For example, American investment bank Jefferies recently raised its market-cap forecast for the NFT sector to over $35 billion for 2022 and to over $80 billion for 2025 — a projection that was also echoed by JP Morgan.

However, as with any market growing at such an exponential rate, issues related to security have to be expected as well. In this regard, prominent nonfungible token (NFT) marketplace OpenSea recently fell victim to a phishing attack that took place just hours after the platform announced its week-long planned upgrade to delist all inactive NFTs.

Diving into the matter

On Feb 18, OpenSea revealed that it was going to initiate a smart contract upgrade, requiring all of its users to transfer their listed NFTs from the Ethereum blockchain to a new smart contract. Owing to the upgrade, users who failed to facilitate the above said migration stood at a risk of losing their old and inactive listings.

That said, due to the small migration deadline provided by OpenSea, hackers were presented with a potent window of opportunity. Within hours of the announcement, it was revealed that nefarious third party individuals have initiated a sophisticated phishing campaign, stealing NFTs from many users that were stored on the platform before they could be migrated over to the new smart contract.

We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.

— OpenSea (@opensea) February 20, 2022

Providing a technical breakdown of the matter, Neeraj Murarka, chief technical officer and cofounder of Bluezelle, a blockchain for GameFi ecosystem, told Cointelegraph that at the time of the incident, OpenSea was making use of a protocol called Wyvern, a standard tech module that most NFT web apps make use of since it allows for the management, storage, and transfer of these tokens within users' wallets.

Because the smart contract with Wyvern allowed users to work with the NFTs stored in their “wallets,” the hacker was able to send out emails to Opensea clients masquerading as a representative for the platform, encouraging them to sign “blind” transactions. Murarka further added:

“Metaphorically, this was like signing a blank check. Normally, this is okay if the payee is the intended recipient. Keep in mind that an email can be sent by anyone, but be made to appear to be sent by someone else. In this case, the payee appears to be a single hacker who was able to use these signed transactions to transfer out and effectively steal the NFTs from these users.”

Also, in an interesting twist of events, following the incident the hacker apparently returned some of the stolen NFTs to their rightful owners, with further efforts being made to return other lost assets. Providing his take on the entire matter, Alexander Klus, founder of Creaton, a Web3 content creation platform, told Cointelegraph that the phishing email campaign used a malicious signing transaction to approve all holdings to be able to be drained at any time. “We need better signing standards (EIP-712) so people can actually see what they are doing when approving a transaction.”

Lastly, Lior Yaffe, cofounder and director of Jelurida, a blockchain software company, pointed out that the episode was a direct result of the confusion surrounding OpenSea’s poorly planned smart contract upgrade, as well as the platform’s transaction approval architecture.

NFT marketplaces need to step up their security game

In Murarka’s view, web apps making use of the Wyvern smart contract system should be augmented with usability improvements to ensure that users don’t fall for such phishing attacks time and time again, adding:

“Very clear warnings should be made to educate the user about phishing attacks and driving home the fact that emails will never be sent, soliciting the user to take any steps. Web apps like OpenSea should adopt a strict protocol to never communicate with users via email apart from maybe just registration data.”

That said, he did concede that even if OpenSea were to adopt the safest security/privacy protocols and standards, it is still up to its users to educate themselves about these risks. “Unfortunately, the web app itself is often held responsible, even though it was the user that was phished. Who is responsible? The answer is unclear,” he noted.

A similar sentiment is shared by Jessie Chan, chief of staff at ParallelChain Lab, a decentralized blockchain ecosystem, who told Cointelegraph that regardless of how the entire attack was orchestrated, the issue not entirely dependant on OpenSea’s existing security protocols but also on user awareness against phishing. The question remains whether the marketplace operator should have been able to provide sufficient information to its users to keep them informed of how to deal with such scenarios.

Another possibility to mitigate any potential phishing events is by having all interactions between users and their web apps being driven solely via the use of a dedicated mobile/desktop interface. “If all interactions required the use of a desktop app, such attacks could be bypassed completely.”

Providing his take on the subject, Yaffe noted that the main problem — which lies at the heart of this whole issue — is the basic architecture of most NFT marketplaces, enabling users to simply sign a carte blanche approval for a third-party contract to use their private wallet without setting a spending limit:

“Since the OpenSea team did not really figure out the source of the phishing operation, it might as well happen again next time they attempt to make a change to their architecture.”

What can be done?

Murarka noted that the best way to eliminate the possibility of these attacks is if people start making use of hardware wallets. This is because most software wallets as well as other custodial storage solutions are too vulnerable in their general design and operational outlook. He further elaborated: “Much like Bitcoin, Ethereum, etc, NFTs themselves should be moved to hardware wallet accounts instead of leaving them on a centralized platform,” adding:

“Users need to be super aware of the risks of responding to and acting upon emails they receive. Emails can be faked very easily, and users need to be proactive about the safety of their crypto assets.”

Another thing NFT owners need to remember is that they should only be visiting web apps that employ high-quality security protocols, checking that the accessed marketplaces utilize the HTTPS mechanism (at the very least) while being able to clearly see a lock symbol on the top left of their browser window — which correctly points to the intended company — while visiting any webpage.

Yaffe believes that users should be careful with contract approvals and keep an accurate track of the contracts they have greenlighted in the past. “Users should revoke unnecessary or unsafe approvals. If possible users should specify a reasonable spending limit for every contract approval,” he concludes.

Related: Cointelegraph partners with Nitro Network to bring digital mining and decentralized internet to the masses

Lastly, Chan believes that in an ideal scenario, users should keep their wallets on a dedicated platform that they don’t use to read email or browse the web, adding that any such avenues are subject to all manners of third party attacks. He further stated:

“This is inconvenient, but when dealing with assets of great value and where there is no recourse in the event of theft, extreme care is justified. And, as with all financial transactions, they should be very careful in deciding who to deal with, since the counterparties can also steal your assets and disappear.”

Therefore, while moving into a future driven by NFTs and other similar novel digital offerings, it remains to be seen how platforms operating within this space continue to evolve and mature, especially as a growing amount of capital keeps making its way into the NFT market.

Tags
Nft
Related Posts
Want to own an NFT of your favorite movie scene? Soon, you might be able to
We all have a favorite scene from a movie — a stand-out moment that has stayed with us ever since. Yet curiously, the magical world of film has been largely untouched by the explosion in nonfungible tokens. Until now, that is. MOVE Network is a crypto project that is vying to shake up the market by becoming one of the world’s largest NFT aggregators. Better still, its top priority is shaking up the movie industry, a sector that commands global revenues of more than $115 billion. In a live ask-me-anything session held on Cointelegraph’s YouTube page, two executives from the …
Technology / June 16, 2021
This NFT platform boasts exclusive drops from top-flight athletes
A verified athlete-only platform connects fans with their favorite sports stars like never before. Blockasset has been built on top of Solana because of how this network achieves high speeds and low fees — delivering a seamless experience alongside NFTs that owners will be proud of. One recent collection came from Italian captain Giorgio Chiellini, who played an instrumental role in the national team’s sensational win against England in the European Championships. The piece was focused on his warrior-like spirit and was named The Gladiator, and ultimately ended up selling for a cool $60,000 — a sum that has been …
Technology / July 16, 2021
Decentralized NFT project takes on major marketplaces and woos artists
A decentralized non-fungible token project says it is committed to lowering barriers to entry for artists, creators and photographers — making it easier for them to mint their own NFTs. Unique.One says interest in digital art is continuing to accelerate, and there is an “incredible opportunity” for creatives to reach new audiences and earn an income. Although an array of NFT platforms already exist, the volunteer founding team behind Unique.One argues that some of these marketplaces overcharge creators, censor their work, or have too much of a corporate backing to truly represent the community’s needs. It has embraced a different …
Nft / March 14, 2021
Which Terra-based coins have the most explosive potential? | Find out now on The Market Report live
“The Market Report” with Cointelegraph is live right now. On this week’s show, Cointelegraph’s resident experts discuss which Terra-based coins you should be looking out for in 2022. But first, market expert Marcel Pechman carefully examines the Bitcoin (BTC) and Ether (ETH) markets. Are the current market conditions bullish or bearish? What is the outlook for the next few months? Pechman is here to break it down. Next up, the main event. Join Cointelegraph analysts Benton Yaun, Jordan Finneseth and Sam Bourgi as they debate which Terra-based coin has the most explosive potential. Will it be Bourgi’s pick of StarTerra, …
Decentralization / March 8, 2022
Hackers takeover Azuki’s Twitter account, steal over $750K in less than 30 minutes
Azuki, a popular nonfungible token (NFT) project, had its Twitter account compromised on Jan. 27 leading to hackers stealing over $750,000 worth of USD Coin (USDC) by posting a malicious “wallet drainer link” posed as a virtual land mint. Hackers stole $751,321.80 USDC from a single wallet within half an hour of the malicious links being tweeted, according to Etherscan data provided to Cointelegraph by crypto wallet security firm Wallet Guard. The data also revealed that hackers stole a further $6,752.62 worth of USDC from various wallets holding 11 NFTs and over 3.9 Ether (ETH). Wallet Guard stated that the …
Nft / Jan. 28, 2023