Updated Feb. 20th – On February 19th, several owners of high-value NFTs had their entire collection of Opensea-listed assets pulled out from under them by an unknown attacker. Either the new Opensea contract was hacked, or users were hit by a phishing attack.
Any users who interacted with Opensea’s new contracts should consider revoking the token approvals from Opensea as a precaution. Etherscan and Revoke.cash both provide interfaces for this, but are experiencing intense server load. Use whichever service will load for you.
As of 9:13 PM EST Feb 19th, the attack seems to be over. Outgoing transactions have ceased for over 30 minutes on the attacker’s account and the attack contract. On the evening of the 19th, the attacker held 641.5 ETH liquid, and many high-ticket NFTs, including 17 Azuki, 3 BAYC, 2 Cool Cats, and 2 Mutant Ape Yacht Clubs. The attacker also pocketed a racial slur ENS name, for the cherry on top.
As the dust settles, the attacker has liquidated his remaining valuable items, and currently holds ~10 ETH in a mixture of ETH and WETH, and an assortment of junk NFTs. 1105 ETH has been sent to Tornado Cash in a series of transactions. The attacker has also made a further transaction to the attack contract.
The attacker has engaged in some strange behavior, including sending ETH and NFTs back to some victims. naterivers.eth recieved 50 ETH back from the attacker.
The investigation is ongoing, but at the moment it appears users have fallen prey to a phishing scam. The attacker likely struck now as the phished listings are expiring soon with the Opensea contract migration due on Feb. 25th.
The attacker’s Opensea activity is… wild (and Opensea has currently taken that activity page down). Bored Apes, Mutant Apes, Azukis, mfers, FVCK_CRYSTALS, Doodles, and basically anything else that isn’t nailed down is currently streaming into the wallet and being sold at or under floor.
The usual stream of “plz ser mi familia” messages are also pouring to the account, some in the form of opensea NFT collections, like this one.
Some users are trying to uncover the identity of the hacker. Official investigations are still ongoing.
The attacker’s account and the attack contract continue to be active. Money laundering is ongoing, although attack transactions have ceased for the time being. Please take action to make sure your assets are safe!
Phishing or Smart Contract Bug?
The official Opensea stance is that it is a phishing attack that is not related to emails. Interestingly, the attack contract was actually created 28 days ago. This was before Opensea’s migration went live.
It’s still slightly unclear at this time whether the issue is a smart contract bug, a phishing attack duplicating Opensea communications about the migration, or an earlier phishing attack. Evidence is leaning towards a phishing attack of some description at this time. The new Opensea contract may not have been hacked at all.
Some users describe not interacting with any Opensea emails at all, which points to a more complicated answer.
Note: Some users have been deriding other users who approved a “WyvernExchange” instead of Opensea. Wyvern is the behind-the-scenes name of an Opensea exchange, as seen in the blue-checked contract here. Wyvern is not a malicious party. Technical details can be seen in this thread.
Poorly-Conceived From the Start?
Regardless of whether the phishing was related to migration emails or not, the migration emails themselves are still an awful idea. Being user friendly is one thing, but training your users to cryptographically authorize things you click in an email…
The other issue lies in how the Opensea contract handles offchain signing of listings. I won’t plagiarize the tweet thread below, but essentially, if you can be tricked into signing the wrong thing, Opensea has no further protections in place. The exchange will happily delegatecall the malicious contract and send it everything it has token approval for, no questions asked.
$LOOKS like another migration might be in our futures.