IDR 24.4 Billion NFT Changes Hands, After Hackers Attack OpenSea Users

OpenSea CEO Devin Finzer said the attack did not originate on the OpenSea website. (photo; instagram @ dfinzer)

JAKARTA - Saturday, February 19, a hacker attack or hackers have stolen hundreds of NFTs from users in the OpenSea application. This attack, caused late-night panic among the site's vast user base.

A spreadsheet compiled by blockchain security service PeckShield counts 254 tokens stolen during the attack, including tokens from Decentraland and Bored Ape Yacht Club.

Most attacks occurred between 5 p.m. and 8 p.m. ET (eastern time), targeting a total of 32 users. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.

The attack appears to have exploited flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those built on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) describes the attack in two parts.

First, the target signed a partial contract, with general authorization and left most of it blank. With the signature in place, the attacker completes the contract with a call to their own contract, which transfers ownership of the NFT without payment.

In essence, the target of the attack has signed a blank check, and once signed, the attacker fills in the rest of the check to take possession of them.

"I check every transaction," said the user who is familiarly called Neso as quoted by The Verge. “They all have the valid signatures of the people who lost the NFT so anyone claiming that they weren't phished but lost the NFT is wrong.”

OpenSea, which is now valued at 13 billion US dollars (IDR 186.7 trillion) in its recent funding round, has become one of the most valuable companies of the NFT boom. They provide a simple interface for users to register, browse and bid tokens without interacting directly with the blockchain.

That success comes with significant security concerns, as OpenSea has struggled with attacks that leverage legacy contracts or toxic tokens to steal users' valuable ownership.

OpenSea was in the process of renewing its contract system when the attack occurred, but OpenSea denied that the attack stemmed from a new contract. The relatively small number of targets makes such a vulnerability unlikely, as any flaw in the broader platform is likely to be exploited on a much larger scale.

However, many details of the attack remain unclear, particularly the methods attackers use to get targets to sign half-empty contracts.

While the attacker stopped >4 hours ago, our investigation is ongoing. We’ll keep you updated as we learn more about the exact nature of the phishing attack. If you have specific information that could be useful, please DM @opensea_support.

— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022

In a tweet shortly before 3 a.m. ET, OpenSea CEO Devin Finzer said the attack did not originate from the OpenSea website, and its various listing systems, or any email from the company. The fast attack rate, hundreds of transactions in a matter of hours, suggests some common attack vectors, but so far no link has been found.

"We'll keep you updated as we learn more about the true nature of phishing attacks," Finzer said on Twitter. “If you have specific information that could be useful, please DM @opensea_support.”