OpenSea serves as an example of why crypto security must improve

Published at: Feb. 3, 2023

In February 2022, OpenSea fell prey to a major phishing attack that resulted in over $1.7 million in nonfungible tokens (NFTs) being stolen from users. It wasn’t the only incident: Blockchain users reportedly lost $3.9 billion to fraudulent activity in 2022 alone.

As we entered 2023, there was a chorus of promises to increase security within the crypto space. But, so far, things haven’t significantly changed. Companies that utilize blockchain still aren’t doing enough to prevent scams.

If blockchain technology is going to see mass adoption, companies will have to change their approach from the bottom up. By focusing on education and implementing better processes to identify malicious activity, these platforms can better serve their customers as the space continues to grow.

Blockchain platforms need to learn how to identify malicious activity

In the case of the OpenSea hack, victims were asked to sign an incomplete contract, seemingly at the platform’s request. While OpenSea’s core infrastructure was not hacked, the fake accounts were able to take advantage of the open-source Wyvern Protocol. Hackers were then able to use the owner’s signature to be transferred to a false contract that gave them ownership without having to pay for the NFTs.

Related: 10 predictions for crypto in 2023

OpenSea recently reversed some of its previous policies after it was reported that 80% of NFTs minted for free on the platform were plagiarized or spam. OpenSea also relies on trust in the developers that use its API, which is not a foolproof way to assess risk. These developers could use the API for malicious purposes to take advantage of users signing contracts they don’t read.

Smart contracts are an integral part of the blockchain engine and can be found everywhere, from NFT exchanges to veritable decentralized applications. Understanding how these contracts function is imperative to keeping users secure. Rather than reinventing the wheel, companies can implement standard protocols to ensure smart contracts are resilient and protected from malicious activity. From there, companies can take advantage of the blockchain’s flexible nature and customize their contract, like setting up multisignature wallets and regular unit testing.

Beware of the spammy airdrop

If you look for the popular Mutant Hounds collection featured on OpenSea’s top collections, there is no indication of which collection is legitimate. Lack of verification can lead to counterfeit collections being formed, artificially increasing the price to make it appear legitimate and confusing to users. Fake collections are often distributed through airdrops, intended to be found through an NFT platform’s search functionality.

Related: What Paul Krugman gets wrong about crypto

Spammy collections can also send users NFTs they did not ask for via airdrops. Users will be redirected not through the platform where they hold a collection, such as OpenSea, but via a different site, where the scam occurs.

This is a commonplace risk that can be addressed by platforms monitoring such activity, either through a crowdsourced database that tracks fraudulent accounts or an administrative tool that knows what to look for and is constantly aware of updated scams. In addition, NFT platforms can require bids to be in the same currency as the listing to avoid confusion. Many users have been scammed by accepting an offer in a less valuable currency than the one in which they listed the NFT for sale. Blockchain platforms can rely on data to expose their outliers by flagging suspicious activity based on irregular activity among a small number of holders.

Of course, it must be noted that companies like OpenSea are in the challenging position of having to police fraudulent accounts that mint on their platform. In many cases, it boils down to a need for more verification of the official collection.

Onboarding is an integral part of the business plan

Onboarding should be a core part of the blockchain experience for veteran and novice users. Like smart contracts, establishing clear user guidelines and highlighting potential risks should be considered one of the fundamental best practices for ensuring user safety. These guides should be regularly reviewed, taking into account risk assessment, and adjusted accordingly as blockchain matures.

Among experienced users, the initialism “DYOR” is commonplace among users on the blockchain. As an abbreviation of “do your own research,” this expression has become an unspoken rule for those interacting with potential investment opportunities. Yet, it can be challenging for newcomers to know precisely where to start. There is a chorus of discordant information from influencers within the space who are often pushing the next big thing and driving risky investments, resulting in users falling victim to scams or loss of assets. Guidelines and educational materials should be readily available, curated to each platform’s value system and unique risks.

Why best practices should be a priority for all blockchain platforms

As the blockchain community currently works through its growing pains, companies should take the hard lessons learned via major exploits like the ones on OpenSea and refine their security protocols to ensure that doesn’t happen again. Learning the ins and outs of basic technology, from smart contracts to how to protect one’s seed phrase, should be the starting point. From there, learn how to implement and maintain best practices, such as identifying malicious activity and those wreaking havoc. Perhaps all it would have taken to prevent some of the most recent large-scale hacks was simply for someone to notice that something seemed off.

Michael R. Pierce is the co-founder and CEO of NotCommon. He received both his BBA and MBA from The University of Texas at Austin.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Tags
Related Posts
Cross-chains in the crosshairs: Hacks call for better defense mechanisms
2022 has been a lucrative year for hackers preying on the nascent Web3 and decentralized finance (DeFi) spaces, with more than $2 billion worth of cryptocurrency fleeced in several high-profile hacks to date. Cross-chain protocols have been particularly hard hit, with Axie Infinity’s $650 million Ronin Bridge hack accounting for a significant portion of stolen funds this year. The pillaging continued into the second half of 2022 as cross-chain platform Nomad saw $190 million drained from wallets. The Solana ecosystem was the next target, with hackers gaining access to private keys of some 8000 wallets that resulted in $5 million …
Blockchain / Aug. 11, 2022
FBI issues alert over cybercriminal exploits targeting DeFi
The U.S Federal Bureau of Investigation (FBI) has issued a fresh warning for investors in decentralized finance (DeFi) platforms, which have been targeted with $1.6 billion in exploits in 2022. In an Aug. 29 public service announcement on the FBI's Internet Crime Complaint Center, the agency said the exploits have caused investors to lose money — advising investors to conduct diligent research about Defi platforms before using them, while also urging platforms to improve monitoring and conduct m rigorous code testing. The law enforcement agency warned that cybercriminals are out in force to take advantage of "investors' increased interest in …
Blockchain / Aug. 30, 2022
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022
5 sneaky tricks crypto phishing scammers used last year: SlowMist
Blockchain security firm SlowMist has highlighted five common phishing techniques crypto scammers used on victims in 2022, including malicious browser bookmarks, phony sales orders and trojan malware spread on messaging app Discord. It comes after the security firm recorded a total of 303 blockchain security incidents in the year, with 31.6% of these incidents caused by phishing, rug pull or other scams, according to a Jan. 9 SlowMist blockchain security report. Malicious browser bookmarks One of the phishing strategies makes use of bookmark managers, a feature in most modern browsers. SlowMist said scammers have been exploiting these to ultimately gain …
Blockchain / Jan. 10, 2023
Crypto app targeting SharkBot malware resurfaces on Google app store
A newly upgraded version of a banking and crypto app targeting malware has recently resurfaced on the Google Play store, now with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements. A warning about the new version of the malware was shared by malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel on Twitter accounts on Sept. 2, sharing their co-authored article on Fox IT’s blog. We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! …
Blockchain / Sept. 5, 2022