In February 2022, OpenSea saw one of the largest attacks in the history of Non-fungible tokens.
It was reported that the attackers were able to get away with tokens worth $1.7 million in ETH.
On February 19, 2022, a malicious attacker managed to steal NFTs worth over 640 ether from the OpenSea NFT marketplace in a phishing attack. Initially, it came into the limelight that around 32 users were a part of the phishing attack. However, as there were further developments, it was clarified that the number of users affected was 17.
Let us understand what went down in the OpenSea phishing attack and what can we learn from it to safeguard the interests of crypto and NFT enthusiasts alike.
What exactly happened in the OpenSea Phishing Attack?
On February 19th, the phishing attack on the OpenSea NFT platform began as an email.
The email was asking OpenSea users to migrate their NFTs to a new OpenSea contract. Users were lured into signing an order for a transfer of 0 ETH on the platform. This order on the mail consisted of the phishing attacker’s address and calldata, which was legitimately signed by the phished user.
The attacker then took this order, added the address and calldata for the tokens for which the user has approvals on OpenSea. The attacker then calls their own malicious contract with this order. This sends a legitimate order to OpenSea.
The platform then performs the validation of the signatures on the contract before processing any orders. As the order got signs from both, the user and the attacker, the contract is deemed to be legitimate and valid. Upon this, OpenSea contract then calls the proxy contracts that hold the approvals for these tokens.
These proxy contracts use delegatecalls to call the attacker’s contract, which the transfer targets. With delegatecall, the attacker’s contract was able to perform transactions on behalf of the proxy contracts.
What is a phishing attack and why is it significant?
A phishing attack is a cyber attack that involves an attacker sending a fraudulent form of communication, often an email.
In the case of OpenSea, the attacker tricked some of the NFT owners into selling their NFTs by clicking on a link that created a transaction they were asked to sign with their browser-based wallet.
This transaction led to retrieving the signature for a token sale, utilized to craft a new transaction, and then later used to send the user’s NFTs to the attacker’s NFT address. Adding on to this, this transaction was designed in a way to let the attacker steal the NFTs while the targeted user’s connected wallet paid the gas fees.
What makes the attack significant is that it underlines the importance of exercising caution while signing smart contract transactions. Moreover, it adds to the pre-existing risks involved in the NFT ecosystem and empowers users by educating themselves. Here are some enlisted best practices for users to protect themselves from such phishing attacks in the future.
Steps you can take to prevent this from happening to you
- Remove Permissions: The initial and the foremost step to ensure that your NFTs and cryptos stay secure is to revoke various permissions associated with your linked wallet.
Phishing attack like the one that took place on OpenSea is a major concern considering the fact that signing only one malicious signature can result in the loss of the tokens in the wallet. If the permissions are revoked on the Wyvern Exchange V1 contract on OpenSea, it can reduce the risks of a hacker draining funds on the contract.
- Avoid links in unexpected emails: Clicking on a link in a mail that you weren’t expecting, isn’t a recommended step ever. Platforms such as Telegram, Twitter, and Discord have seen a major inflow of such links in recent days.
These links usually tend to contain messages with a deadline, creating a sense of urgency in the mind of the targeted user. Upon clicking these links, the user is prompted to sign a transaction from their wallets, allowing the attacker to transfer the assets into their wallets.
- Avoid Signing Blindly: As the OpenSea attack took place, the Chief Technology Officer at the company, Nadav Hollander said in a series of tweets that it was the valid signatures from the users which were exploited on the Wyern V1 contract.
He mentioned that the users “did sign an order somewhere, at some point in time”. It has been noted in the past that crypto phishing attacks have lured users into entering their wallet’s seed phrases, allowing the attackers to access their wallets and steal their funds.
Apart from the seed phrases, there needs to be awareness around signing off-chain messages and interacting with contracts that seem malicious. Upon signing a signature, a third party can access the funds on behalf of users even if the funds are in a hardware wallet. Hence, users shall take care of executing gasless signatures.
- Keep your seed phrases close to yourself: A seed phrase is the random list of words that generates the keys to a wallet.
It is never recommended to give out your seed phrases unless you are trying to restore your wallet. Keep it as private as possible. Write it down somewhere physically instead of storing it on a digital platform somewhere else.
The lessons we learned from the OpenSea Phishing Attack
The OpenSea phishing attack is an eye-opener for NFT investors and enthusiasts around the world. A phishing attack can usually take place when users sign orders without validating them. In the recent attacks that have taken place, phishing attacks are the ones that are most common on NFT and crypto users.
In order to stay one step ahead of such attacks, following safe practices can go a long way. Moreover, always ensure that the NFT marketplaces you often use have a robust security infrastructure in place as well.
Platforms like Crypto NFT and Bybit NFT can be considered as pragmatic alternatives for your NFT platforms.
With Bybit’s exclusive offers and curated NFT collections along with zero transaction fees and international access, its new entry into the fungible token space is something you should look into. Moreover, users on the Bybit platform will not be required to link their personal wallet addresses to the platform. Instead of doing that, they can simply buy, sell or trade NFTs on the Ethereum ERC-721 standard through their Bybit account.