New Opensea Contract Exploited? Massive Hack In Progress

Updated Feb. 20th – On February 19th, several owners of high-value NFTs had their entire collection of Opensea-listed assets pulled out from under them by an unknown attacker. Either the new Opensea contract was hacked, or users were hit by a phishing attack.

Any users who interacted with Opensea’s new contracts should consider revoking the token approvals from Opensea as a precaution. Etherscan and Revoke.cash both provide interfaces for this, but are experiencing intense server load. Use whichever service will load for you.

As of 9:13 PM EST Feb 19th, the attack seems to be over. Outgoing transactions have ceased for over 30 minutes on the attacker’s account and the attack contract. On the evening of the 19th, the attacker held 641.5 ETH liquid, and many high-ticket NFTs, including 17 Azuki, 3 BAYC, 2 Cool Cats, and 2 Mutant Ape Yacht Clubs. The attacker also pocketed a racial slur ENS name, for the cherry on top.

As the dust settles, the attacker has liquidated his remaining valuable items, and currently holds ~10 ETH in a mixture of ETH and WETH, and an assortment of junk NFTs. 1105 ETH has been sent to Tornado Cash in a series of transactions. The attacker has also made a further transaction to the attack contract.

The attacker has engaged in some strange behavior, including sending ETH and NFTs back to some victims. naterivers.eth recieved 50 ETH back from the attacker.

The investigation is ongoing, but at the moment it appears users have fallen prey to a phishing scam. The attacker likely struck now as the phished listings are expiring soon with the Opensea contract migration due on Feb. 25th.

Around 19 users were affected.

The attacker’s Opensea activity is… wild (and Opensea has currently taken that activity page down). Bored Apes, Mutant Apes, Azukis, mfers, FVCK_CRYSTALS, Doodles, and basically anything else that isn’t nailed down is currently streaming into the wallet and being sold at or under floor.

And many, many more…

The usual stream of “plz ser mi familia” messages are also pouring to the account, some in the form of opensea NFT collections, like this one.

Some users are trying to uncover the identity of the hacker. Official investigations are still ongoing.

The attacker’s account and the attack contract continue to be active. Money laundering is ongoing, although attack transactions have ceased for the time being. Please take action to make sure your assets are safe!

Phishing or Smart Contract Bug?

The official Opensea stance is that it is a phishing attack that is not related to emails. Interestingly, the attack contract was actually created 28 days ago. This was before Opensea’s migration went live.

It’s still slightly unclear at this time whether the issue is a smart contract bug, a phishing attack duplicating Opensea communications about the migration, or an earlier phishing attack. Evidence is leaning towards a phishing attack of some description at this time. The new Opensea contract may not have been hacked at all.

Some users describe not interacting with any Opensea emails at all, which points to a more complicated answer.

Note: Some users have been deriding other users who approved a “WyvernExchange” instead of Opensea. Wyvern is the behind-the-scenes name of an Opensea exchange, as seen in the blue-checked contract here. Wyvern is not a malicious party. Technical details can be seen in this thread.

Poorly-Conceived From the Start?

Regardless of whether the phishing was related to migration emails or not, the migration emails themselves are still an awful idea. Being user friendly is one thing, but training your users to cryptographically authorize things you click in an email…

The other issue lies in how the Opensea contract handles offchain signing of listings. I won’t plagiarize the tweet thread below, but essentially, if you can be tricked into signing the wrong thing, Opensea has no further protections in place. The exchange will happily delegatecall the malicious contract and send it everything it has token approval for, no questions asked.

$LOOKS like another migration might be in our futures.

Photo of author

Written By BowTiedPickle

Anonymous cartoon pickle inspired by BowTiedBull. Degen chemical engineer, moonlighting as a Solidity developer.

Disclosure

This article may contain links to third-party websites or other content for information purposes. BowTiedIsland may receive a commission at no cost to you if you purchase a product after clicking one of these links. The Third-Party Sites are not under the control of BowTiedIsland, and BowTiedIsland is not responsible for the content of any Third-Party Site. All information contained herein is the opinion of the writer and does not constitute financial advice. We aim to act as a neutral third party and aid in your research and analysis.


The Jungle


Crypto, Investing, and E-Commerce with BowTied Bull

The future is internet based, therefore we have a triangle based approach with crypto, e-commerce business making and Investing in traditional assets

The Culture War with BowTiedRanger

Whether you’re a political junkie or just interested in current events. 

You’ve come to the right place for analysis of the most relevant current events and political issues.

Fitness With BowTiedOx

BowTiedOx provides you a place to find all of his latest programs and guides.

Weekly newsletters that cover fitness, health, and mindset, all grounded in the fundamentals of physiology.

Media Production with BowTied Turkey and BowTied Tamarin

Video is no longer optional.

Don’t get left behind.

Your brand deserves professional videos to engage your audience.

Art & Graphic Design with BowTied Patriot

BowTied Patriot is a graphic artist who specializes in photography, mixed medium custom artwork, and NFT creation.

Join BowTiedPatriot as he dives into making Art in Web3.0 and The Metaverse.

Cooking with BowTiedOctopod

Learn secrets from a fine dining chef for maximum flavor and time-saving efficiency

Newsletters on Ingredients, Techniques and Flavor hacks that will have you eating better. We will never eat bugs!

Meme Warfare with DgenFren

Increase your online engagement, organically influence narratives, and build your online persona by using marketing that your target audience actually wants: memes.

Learn How to Sell with BowTiedSalesGuy

Sales is one of the most transferrable life skills, yet few know how to actually sell.

Traditional sales tactics don’t cut it in today’s hyper competitive world.

Learn the secrets from a Chad Salesman and change your Life forever.

Ecommerce with BowTiedOpossum

Learn the skills to start and build your first online business.

Want to build a business that travels with you?

Learn from an industry veteran that has worked on and with brands you already know.