OpenSea Hack: key points on Web3 security

Key points to remember

  • A hacker stole millions of dollars worth of NFTs from OpenSea users over the weekend.
  • The hacker is believed to have tricked users into approving transactions that resulted in their wallets being emptied by an elaborate phishing attack.
  • There are several steps you can take to mitigate the risk of falling victim to such incidents in Web3.

Share this article

A hacker stole millions of dollars worth of NFTs from OpenSea users over the weekend. The incident highlighted the importance of operational security in Web3.

OpenSea Hack Highlights Security Risks

On February 19, several OpenSea users reported that their wallets had been emptied of valuable NFTs from collections such as Bored Ape Yacht Club and Azuki. The total value of the transport was estimated at approximately $3 million. The next day, OpenSea said it believed the root cause was a phishing attack that originated “from outside OpenSea.”

The attack targeted 32 users. It is believed that they were tricked into clicking on malicious links to sign a malicious smart contract allowing their NFTs to be transferred to another wallet. As a result, the hacker was able to drain over 250 NFTs within hours.

OpenSea uses off-chain signatures to execute gasless transactions on behalf of its users. They can be executed automatically, which means that users do not need to be online for an NFT order to be executed. It is believed that the hacker tricked the victims into signing transactions with Wyvern, an NFT exchange protocol used by OpenSea.

A pseudonymous Solidity developer known as foobar posted a storm of tweets following the incident in which they said victims signed malicious code that allowed the hacker to drain NFTs to a “target address” they controlled. To convince victims to sign the code, they are believed to have impersonated OpenSea via email or another communication format.

The incident highlights the need for caution when signing smart contract transactions. It also serves as a reminder of the risks present in every corner of Web3 and the importance for users to educate themselves about threats in the evolving landscape. To mitigate the risk of falling victim to such attacks, active Web3 users can take several steps to protect themselves.

Revoke permissions

As a first step towards securing NFTs or other crypto assets, it is important to know how to revoke permissions associated with a crypto wallet. Phishing attacks like the OpenSea hack are a major concern because signing a single malicious signature can lead to the loss of every NFT stored in a wallet. If you are trading on OpenSea and allow off-chain signing with the Wyvern Exchange V1 contract, revoking permission to spend the funds is a way to reduce the risk of a hacker draining funds from the contract.

Users can revoke wallet permissions by going to the token approval page on Etherscan, connecting their wallet, and finding the token approvals for each app the wallet has interacted with.

Avoid blind signatures

Following the OpenSea hack, the company’s chief technology officer, Nadav Hollander, said in a tweet storm that valid victim signatures were exploited on the Wyvern V1 contract (prior to OpenSea’s migration to Wyvern V2.3). Users “signed an order somewhere, sometime, sometime,” he said. This suggests that the victims may have inadvertently signed malicious contracts.

In the past, crypto-phishing attacks tricked users into entering the seed phrase of their wallet, allowing the hacker to gain access to their wallet and steal the funds. In some cases, hackers have obtained permission to spend funds by luring users with fake airdrops. The latest OpenSea incident was different because the hacker attempted multiple collectors at once. This shows that in addition to being careful with seed phrases, users should be careful when signing off-chain messages and interacting with suspicious contracts.

Once a signature is signed, a third party can spend funds on behalf of users even if the funds are held in a hardware wallet. Therefore, it is crucial that users take care when performing gasless signatures on OpenSea or other applications. Some blockchain experts recommend against approving all blind signatures.

These signatures contain only a hex code that only appears as an Ethereum address; they do not provide additional transaction details. EIP-712 signatures, however, provide more clarity because they show complete transactional data bound at the time of a signature request. By Hollanderthe EIP-712 format that comes with recently migrated OpenSea contracts makes it “much harder for bad actors to trick someone into signing an order without realizing it”.

Beware of mixing Web3 and email

As part of the OpenSea incident, several reports of phishing email campaigns have surfaced. The hacker is believed to have sent an email posing as OpenSea urging them to allow a migration of their NFT lists to the new Wyvern contract. After clicking, it appears that the users signed transactions which gave the hacker permission to empty their wallets.

Thanks to the rise of fake deep emails, hackers have found ways to send emails that appear to look like any email domain they like. Users should beware of any emails that request a transaction from MetaMask or any other Web3 wallet, even if it appears to come from an official source. One of the best operational security tips is to avoid interacting with Web3 applications using links posted via email or social media. In fact, it’s best to avoid clicking on crypto-related links unless they come from an official source.

In addition to exercising caution when signing transactions and avoiding phishing attacks, crypto users can take other steps to stay protected. It’s a good idea, for example, to move high-value assets like NFTs to cold storage devices that don’t interact with any apps. To learn more about protecting NFTs from hackers, check out the beginner’s guide feature.

Disclosure: At the time of writing this article, the author owned ETH and other cryptocurrencies.

Share this article

Comments are closed.