Opensea Hack

Opensea Hack - How to Avoid It

By cryptogod-1 | CryptoGod-1 : Crypto & Blockchain | 22 Feb 2022

Hello everyone,

I hope you all are having a nice day, welcome to CryptoGod-1's blog on all things Crypto. In this post I will be looking at the recent hack that took place on Opensea. As one of the biggest NFT Marketplaces, to see users having their NFTs stolen due to a hack has caused widespread alarm amongst the community. Here I will run through exactly what happened and how users can avoid something like this happening to them in the future.

 

 

What is Opensea

Opensea is a non-fungible token market place based on the Ethereum network. As one of the most popular and well known NFT markets, it is an American online marketplace headquartered in New York City. The company was founded by Devin Finzer and Alex Atallah in 2017. Users can buy, sell, and auction digital assets on a peer-to-peer basis. Ownership of these digital assets are recorded on a blockchain, which is basically a digital ledger similar to the networks that underpin bitcoin and other cryptocurrencies.

 

 

What Happened in the Hack

Late on Saturday, the company’s chief executive said "The NFT marketplace OpenSea is investigating a 'phishing attack' that no longer appears to be active." The company does not believe it is connected directly with the site, instead 32 users appeared to have signed a malicious payload from an attacker and some of their valuable assets in terms of their NFTs were stolen. A series of tweets emerged on social media platform Twitter, which is the go to social media for NFTs, claiming up to $200 million worth of NFTs had been stolen. In reality, it appears the hacker has about $1.7 million worth of ETH gained in his wallet from selling some of the stolen NFTs...on OpenSea itself. Scepticism was rife from users in believing OpenSea had been the target of the hack, while many others were quick to dismiss any theory they had opened an email containing a link to the hack. 

fe0dcd9cb1b58aab127095a55fb16fd2dca37a7b771190fe93ff42061cefcfab.jpg

 

 

What Was Stolen

The alarm was sounded when some users woke up over the weekend and began noticing that some of their precious NFTs—including some of the famous Bored Ape Yacht Club and Mutant Ape Yacht Club collections, were missing from their wallets. More than 250 NFTs were taken across the range of 32 users wallets in the attack, and its unknown if it was one person or more when instigated this attack, but they only used one wallet to perform the trades and sales.

After the hack it emerged that many of the victims had gotten in touch with each other to try get to the bottom and resolve exactly what happened. The only thing they could all confirm for sure was they had all manually migrated their collections to a new smart contract on the platform. This was a move implemented by OpenSea to “fix an issue with inactive listings that was allowing scammers to swipe valuable NFTs from collectors."

8014fc00b635c479cb70c6e6106fe90c08af6c978e4d628d7a53cb42da4c25ed.jpg

 

The craziest part of the whole hack was the fact some users received their NFTs, plus ETH, back into their wallets. For whatever reason, the hacker either decided his conscious needed him to return some of the stolen goods, or maybe just to show some good faith. One user got some of their NFTS back along a sum of 50ETH into their wallet.

The Blockchain is supposed to be immovable and eternal, and with everything that happens leaving an immutable mark. Things like this are not supposed to be able to happen because the blockchain is meant to be so much more secure than the existing internet. 

On Monday the 21st of February, the company announced on Twitter that "We’ve narrowed down the list of impacted individuals to 17, rather than the previously mentioned 32, Our original count included anyone who had *interacted* with the attacker, rather than those who were victims of the phishing attack.”

 

 

How to Avoid a Repeat Hack

It is thought that the hacker tricked users into approving transactions that allowed their wallets to be drained through an elaborate phishing attack, which is why OpenSea are so adamant they are not the cause behind the hack. 

The Marketplace makes use of off-chain signatures to execute gasless trades on behalf of its users. The are generally done automatically, although users need to provide a signature when signing up, and often when they sign in. Users also need to confirm transactions when they are making a bid, buying, or listing NFTs. Therefore users do not need to be online to confirm purchase or sales orders to be filled, and it’s believed the hacker tricked the victims into signing transactions with Wyvern, an NFT exchange protocol used by OpenSea. 

Following the incident, a pseudonymous Solidity developer known as foobar tweeted that the victims of the hack had signed malicious code that allowed the hacker to drain the NFTs from their account into an address which the hacker controlled. The hacker did this by convincing the victims to sign the code, and it’s believed that they posed as OpenSea through an email or other communication format to achieve this. 

9df45f39ae127a85042c834408033265d6238a434a2ec482431a68c72ceb72a2.jpg

 

This highlighted the need for all user to exercise caution when signing smart contract transactions. Users need to be more wary and educated instead of blindly signing every transaction which appears on their screen, which alas, is what many users in the Web3 space do due to their lack of in-depth understand of how the protocols work. There are several steps active Web3 users can take to protect themselves.

 

  • Revoke Permissions - Users can revoke the permissions associated with their crypto wallets, and its important to understand the importance of this. Whenever a user opens a new Dapp or joins a Web3 site they sign a transaction allowing the site permissions associated with the users wallet. Phishing attacks like the OpenSea hack are a major concern in this instance due to the fact that signing only one malicious transaction can result in the loss of every NFT or crypto stored in a wallet. Traders of OpenSea will have permitted the off-chain signature with Wyvern Exchange V1 contract when they signed up to the site, and revoking permission for it to spend the funds is one way to reduce the risk of a hacker draining funds on the contract. 

Users can revoke wallet permissions by simply visiting Etherscan's Token Approval page. The user connects their wallet and can find the token approvals for each application the wallet has interacted with.  

 

  • Avoid Blind Signatures - The victims of the OpenSea hack may have inadvertently signed malicious contracts, as stated by OpenSea's Chief Technology Officer Nadav Hollander - "Users did sign an order somewhere, at some point in time, at some point in time.” Generally the crypto phishing attacks of the past have tricked users into entering their wallet’s seed phrase, something we all should know never to do. Fake airdrops have also been used to get user approval to spend funds. Users need to be aware when providing signatures, once its signed, a third party can spend the users funds even if they are held in a hardware wallet.  Therefore it is crucial for users to take extreme caution when executing gasless signatures on OpenSea and other applications, with some blockchain experts recommending against approving all blind signatures. 

Signatures contain a hex code which shows up as an Ethereum address only, not providing any additional details about the transaction details. EIP-712 tackles this issue by providing more clarity to users as it shows the complete transaction data. With it recently migrated to OpenSea contracts, this is thought to make it “much more difficult for bad actors to trick someone into signing an order without realizing it.” 

 

  • Web3 and Emails - With the OpenSea hack, it is believed the hacker sent out an email posing as OpenSea urging users to approve a migration of their NFT listings to the new Wyvern contract. The signature provided via that emails by users were for transactions that gave the hacker permission to drain their wallets. Hackers have found ways to send emails that appear to resemble any email domain they like, meaning even if a user receives an email from what looks like an official source, they should never sign a transaction via it.

The best means of protecting oneself from this sort of hack is never to click on a link via an email, no matter how authentic it seems. Similarly, users can go to the official site and see if the same request of information is originating from there. Finally, it can be beneficial to open a different browser not connected to your wallet, or have your high-value assets like NFTs moved into cold storage devices that do not interact with any web applications.

 

 

Conclusion

This was certainly a shock for the NFT community over the weekend. While there have been many rug pulls, scams, and even hacks through the years, many users believed that the centralized marketplace of the decentralized web had been compromised. In reality, it was a highly sophisticated hack which took advantage of perhaps some of the naivety associated with Web3 users. While many lost high valuable NFTs and the hacker earnt a sum in the millions for this, it is a good lesson for all users to be more vigilant when interacting with smart contracts. Taking precautions and never clicking links in emails is one of the most important lessons anybody can learn from this, and hopefully nobody will fall victim to this type of scam again.

 

 

*All imagery used is referenced below*

 

Have a great day, I hope you enjoyed the read.

Peace. CryptoGod-1.

 

Referral links:

Publish0x - https://www.publish0x.com/?a=olejZqrzej

Splinterlands - https://splinterlands.com?ref=rnabc1

Upland - r.upland.me/NQAH

Ecency - https://ecency.com/signup?referral=rnabc

Binance - https://accounts.binance.com/en/register?ref=143611368

Hi - https://hi.com/RNabc

 

NFT Market Sales

Opensea - https://opensea.io/RNabc

 

Follow Me :)

Twitter - @RNabc123

Resources

  1. https://www.cnbc.com/2022/02/20/nft-marketplace-opensea-is-investigating-a-phishing-hack.html
  2. https://kotaku.com/hacker-steals-nfts-worth-millions-from-opensea-marketpl-1848570074
  3. https://cryptobriefing.com/opensea-hack-key-takeaways-web3-security/
  4. https://gizmodo.com/hacker-steals-nfts-from-opensea-users-phishing-attack-1848570135
  5. https://www.businessinsider.in/cryptocurrency/news/opeansea-hack-was-a-phishing-scam/articleshow/89720991.cms
  6. https://www.thefashionlaw.com/opensea-named-in-lawsuit-after-a-bored-ape-nft-was-stolen-in-hack/
  7. https://cryptoslate.com/opensea-suffers-phishing-attack-users-lose-nft-worth-millions/
Cryptocurrency NFT NFTs Hack OpenSea

How do you rate this article?

34
cryptogod-1
cryptogod-1

Writer, designer, creator, and life enthusiast. I love to read and write and enjoy sharing my passion for crypto, sports, literature and everything and anything I can enjoy in life.

CryptoGod-1 : Crypto & Blockchain
CryptoGod-1 : Crypto & Blockchain

Enthusiast here looking to share my ideas, thoughts, analysis, and experience when it comes to all things crypto

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
Crypto Trading And Market Update : Bitcoin Price At $65k Crypto Trading And Market Update : Bitcoin Price At $65k
shohana

shohana

20 hours ago
1 minute read

FanForce Spotlight Connects Founders With Their Earliest Believers FanForce Spotlight Connects Founders With Their Earliest Believers
PVM

PVM

15 hours ago
4 minute read

X: The World’s Largest Digital Psychiatric Experiment - How Elon Musk Turned Twitter Into a Real-Time Study of Human Psychology X: The World’s Largest Digital Psychiatric Experiment - How Elon Musk Turned Twitter Into a Real-Time Study of Human Psychology
Cryptonator`s

Cryptonator`s

1 Jun 2026
2 minute read