Opensea phishing scandal reveals a security need across the NFT landscape

Opensea phishing scandal reveals a security need across the NFT landscape

Despite the ongoing volatility plaguing the digital asset sector, one niche that has undoubtedly continued to flourish is the nonfungible token (NFT) market. This is made evident by the fact that a growing number of mainstream mover and shakers including the likes of Coca-Cola, Adidas, the New York Stock Exchange (NYSE) and McDonalds, among many others, have made their way into the burgeoning Metaverse ecosystem in recent months.


Also, owing to the fact that over the course of 2021 alone, global NFT sales topped out at $40 billion, many analysts expect this trend to continue into the future.

For example, American investment bank Jefferies recently raised its market-cap forecast for the NFT sector to over $35 billion for 2022 and to over $80 billion for 2025 — a projection that was also echoed by JP Morgan.
 

However, as with any market growing at such an exponential rate, issues related to security have to be expected as well. In this regard, prominent nonfungible token (NFT) marketplace OpenSea recently fell victim to a phishing attack that took place just hours after the platform announced its week-long planned upgrade to delist all inactive NFTs.

Diving into the matter

On Feb 18, OpenSea revealed that it was going to initiate a smart contract upgrade, requiring all of its users to transfer their listed NFTs from the Ethereum blockchain to a new smart contract. Owing to the upgrade, users who failed to facilitate the above said migration stood at a risk of losing their old and inactive listings.

That said, due to the small migration deadline provided by OpenSea, hackers were presented with a potent window of opportunity. Within hours of the announcement, it was revealed that nefarious third party individuals have initiated a sophisticated phishing campaign, stealing NFTs from many users that were stored on the platform before they could be migrated over to the new smart contract.
 

Recent Topic


WazirX Launches New DIY Initiative For NFT Creators


Ethereum Price Consolidates Near $2.8K As Analysts Say Bulls Prepare For A Push Higher


$45,000 Bitcoin Looks Cheap When Compared To Gold’s Marketcap


Providing a technical breakdown of the matter, Neeraj Murarka, chief technical officer and cofounder of Bluezelle, a blockchain for GameFi ecosystem, told Cointelegraph that at the time of the incident, OpenSea was making use of a protocol called Wyvern, a standard tech module that most NFT web apps make use of since it allows for the management, storage, and transfer of these tokens within users' wallets.

Because the smart contract with Wyvern allowed users to work with the NFTs stored in their “wallets,” the hacker was able to send out emails to Opensea clients masquerading as a representative for the platform, encouraging them to sign “blind” transactions. Murarka further added:
 

“Metaphorically, this was like signing a blank check. Normally, this is okay if the payee is the intended recipient. Keep in mind that an email can be sent by anyone, but be made to appear to be sent by someone else.

In this case, the payee appears to be a single hacker who was able to use these signed transactions to transfer out and effectively steal the NFTs from these users.”
 

Also, in an interesting twist of events, following the incident the hacker apparently returned some of the stolen NFTs to their rightful owners, with further efforts being made to return other lost assets. 

Providing his take on the entire matter, Alexander Klus, founder of Creaton, a Web3 content creation platform, told Cointelegraph that the phishing email campaign used a malicious signing transaction to approve all holdings to be able to be drained at any time.
 

“We need better signing standards (EIP-712) so people can actually see what they are doing when approving a transaction.”

Lastly, Lior Yaffe, cofounder and director of Jelurida, a blockchain software company, pointed out that the episode was a direct result of the confusion surrounding OpenSea’s poorly planned smart contract upgrade, as well as the platform’s transaction approval architecture.

NFT marketplaces need to step up their security game

In Murarka’s view, web apps making use of the Wyvern smart contract system should be augmented with usability improvements to ensure that users don’t fall for such phishing attacks time and time again, adding:


🔷An Ultimate Guide🔷

Day Trading Guide for Beginners 


“Very clear warnings should be made to educate the user about phishing attacks and driving home the fact that emails will never be sent, soliciting the user to take any steps. Web apps like OpenSea should adopt a strict protocol to never communicate with users via email apart from maybe just registration data.”

That said, he did concede that even if OpenSea were to adopt the safest security/privacy protocols and standards, it is still up to its users to educate themselves about these risks. “Unfortunately, the web app itself is often held responsible, even though it was the user that was phished. Who is responsible? The answer is unclear,” he noted. - Cointelegraph.