OpenSea had a bad weekend: 17 users of the popular NFT marketplace lost NFTs to theft, netting the attacker a total of $1.7 million in Ethereum.
The event was far from the first-time tokens have been stolen, but the scale of the loss and the fact that it took place on one of the largest NFT marketplaces makes it stand out.
So how was the digital art heist pulled off, and what does it say about the future of the NFT community?
What Happened
On Friday, OpenSea began a migration to a new smart contract system. The migration won’t be completed until February 25, and it made for the perfect opportunity for a phishing attack.
While the details haven’t been confirmed, the bad actor in question appears to have tricked some users into signing a partial contract with some portions left blank. Once signed, the contract was then completed with a call to a new contract that transferred ownership of NFTs for free.
The phisher interacted with 32 users, successfully phishing 17 of them to steal a total of 254 tokens over three hours.
How Much Was Lost?
While the concept of NFTs holding value is a little murky due to the speculative nature of the technology, OpeaSea’s CEO noted on Twitter that “rumors that this was a $200 million hack are false. The attacker has $1.7 million of ETH in his wallet from selling some of the stolen NFTs.”
In other words, the “$1.7 million” price tag doesn’t encompass the entire monetary value of the losses, just what the hacker was able to convert to something more spendable.
Since one of the guiding principles behind blockchain is that it renders regulatory authorities unnecessary, those who were tricked out of their NFTs may have little recourse.
NFT Trading Dropped 70%
OpenSea released an “end of day update” on Twitter late yesterday to explain the most recent news surrounding the aftermath of the phishing attack. At the time, they hadn’t seen activity from the attacker’s wallet in more than 36 hours.
We ruled out our contract migration tool as a vector for the attack. It is safe to migrate your listings. For the technically inclined, check out this thread on how our new signature flow (used with any new listings) is a major improvement for user safetyhttps://t.co/t2597bRmIB
— OpenSea (@opensea) February 22, 2022
The Twitter thread includes a link to an OpenSea Help Center article that details what a smart contract migration really looks like.
That small comfort may not be enough: Statistics from data provider DappRadar indicate trading activity on OpenSea has taken a nosedive, dropping over 70% in the past four days — from 70,100 transactions to just 19,400 of them.
While that number will likely rise again once the dust clears, the impact on OpenSea’s reputation will last far longer. NFTs are one of the tech world’s buzziest concepts, but that doesn’t mean they’re one of the best. If you’re in fear for your wallet, don’t trust your activity to stay safe just because you have a great VPN — double check everything before you sign a contract.
