Over the past few days, and in particular on Saturday 19 February, rumours have surfaced that the NFT platform OpenSea has been subject to a hacking attack.
Last Saturday, some users reported that some NFTs from the Cool Cats and Doodle collection had been stolen, totaling 254 works.
So the platform’s co-founder, Devin Finzer intervened and stated that it would in fact be a phishing attack not directly targeting the platform.
“We don’t believe it’s connected to the OpenSea website”,
Finzer explained in his tweet on Sunday. Here’s the original:
As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Who was affected by the hack
Basically, the phishing attack allegedly affected 32 users who were robbed by the hackers. The attack apparently lasted about 3 hours (from 5 PM to 8 PM ET).
In particular, these are the addresses that seem to have been attacked and then robbed.
The address has now been reported and is marked on the EtherScan explorer as “Fake_Phishing5169”. It currently contains a balance of no less than 641 Ethereum, or 1.7 million dollars.
Hacker attack steals NFTs, but it’s not OpenSea’s fault
According to some more detailed information, the attack appears to have exploited a flaw in the Wyvern protocol, an open source standard that underpins many smart contracts on NFT platforms.
The attack appears to have been structured in two phases: first, it affected a part of the contract with a general authorization and a lot of information left blank.
With the signature in place, the hackers then supplemented the smart contract with a direct call to their contract, which automatically transferred the NFTs without any payment even taking place.
In essence, the wallets of the victims had signed a blank contract and, once signed, the attackers filled in the rest to steal the victims’ non-fungible tokens.