On Saturday (02/19), a phishing attack stole hundreds of NFTs from OpenSea users by using fake web pages to trick potential victims.
A spreadsheet compiled by blockchain security service PeckShield counts 254 tokens stolen during the attack, including tokens from Decentraland and Bored Ape Yacht Club.
It turned out that the attacks took place between 5 p.m. and 8 p.m., targeting a total of 32 users. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.
Quoting from The Verge, The attack appears to have exploited flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those built on OpenSea.
In the Twitter account, David Finzer, CEO of Open Sea, actually broke the widely circulated report because he thought the hack had caused a loss of US $ 200 million.
According to Finzer, the attacker had USD 1.7 million Ethereum in his wallet from selling some stolen NFTs.
“We suspect the attack was not linked to the OpenSea site. It appears that 32 users have so far signed malicious payloads from attackers, and some of their NFTs were stolen," said Finzer.
Finzer also described the attack as using two parts; first, the target signed a partial contract with general authorization and mainly left blank.
With the signature in place, the attacker completes the contract with a call to their agreement, which transfers ownership of the NFT without payment.
In essence, the target of the attack has signed a blank check and once signed, the attacker fills in the rest of the checks to take ownership of them.
Open sea NFT user named Neso also revealed that he often checks transactions; therefore, it means that the phishing attackers have the valid signatures of the people who lost their NFTs.
"I check every transaction; they all have valid signatures of the people who lost the NFT so anyone who claims that they are not phishing," said Neso
This is a new problem for OpenSea, which has just raised 13 billion USD, as OpenSea has become one of the most valuable companies of the NFT boom.
With this problem, it is possible to reduce the trust of OpenSea users in their security.