On the morning of February 19th, multiple OpenSea users reported that their wallets had been hacked as a number of valuable NFTs were missing from their collection. Among the collections stolen were Bored Ape Yacht Club, Azuki, and Mutant Apes.
The total amount in dollars stolen is up for debate; early on Twitter users were suggesting it added up to around $200 million dollars. Others have given a more realistic estimate for $50 million. The most conservative opinions state that the total amount was $1.7 million, judging on how much ETH was in the hackers’ wallet.
It is believed that the attack targeted just 32 high-profile users. The victims were lured into clicking malicious links on phishing emails to sign a rogue smart contract that gave permission for their NFTs to be transferred to another wallet.
These phishing lures let the hacker drain over 250 NFTs in just a few hours.
OpenSea makes use of off-chain signatures to execute gasless trades on behalf of its users. They can be executed automatically, which means users do not need to be online for an NFT order to be filled. It’s thought that the hacker tricked the victims into signing transactions with Wyvern, an NFT exchange protocol used by OpenSea.
The attack serves as a reminder that risks are found in every corner of the internet, even with the supposedly water-tight Web3. There are a number of steps users can take to mitigate risks when operating in the Web3 landscape.
Users should look to revoke permissions associated with a crypto wallet, which if let untouched can make phishing attacks simple to pull off. If you trade on OpenSea and permitted the off-chain signature with Wyvern Exchange V1 contract, revoking permission to spend the funds is one way to reduce the risk of a hacker draining funds on the contract.
Users can revoke wallet permissions by going to the Token Approval page on Etherscan, connecting their wallet, and finding the token approvals for each application the wallet has interacted with.
Avoid Blind Signatures
OpenSea CTO Nadav Hollander stated that valid signatures from the victims were exploited on the Wyvern V1 contract (before the OpenSea migrated to Wyvern V2.3). Users “did sign an order somewhere, at some point in time, at some point in time,” he said. This suggests that the victims may have inadvertently signed malicious contracts.
Such signatures contain only a hex code that shows up only as an Ethereum address; they do not provide additional details about the transaction. EIP-712 signatures, however, give more clarity because they show complete transactional data related to the time of a signature request.
Per Hollander, the EIP-712 format that comes with the recently migrated OpenSea contracts makes it “much more difficult for bad actors to trick someone into signing an order without realizing it.”
Use Phishing And Virus Protection Software, Like SaferNet.
Cryptocurrency and the blockchain stand to be a major driving factor in the technology of the future. However this popularity has attracted an element of cybercrime. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a user would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all internet users. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.