The last Feb. 19, OpenSea users started to notice some strange activity on the company’s platform. It appeared that an attacker was using a smart contract to interact with OpenSea’s new exchange contract and steal millions of dollars worth of NFTs. The moment the news spreads, the attacker had already stolen several of the world’s most popular — and expensive — NFTs from a number of different users.
Ultimately, the stolen NFTs included four Azukis, two Coolmans, two Doodles, two KaijuKings, one Mutant Ape Yacht Club (MAYC), one Cool Cat, and one Bored Ape Yacht Club (BAYC). The attacker then quickly sold the stolen NFTs to other users to turn a profit. So far, the attacker has sold more than $1.7 million in stolen NFTs.
At the time of publication, the attacker had sold $700k in stolen NFTs. That number rose to $1.7 million just twenty minutes later. This number continued to rise in the hours following. All in all, two hundred and fifty-four tokens were stolen over roughly three hours.
The move wasn’t caused by a generalized smart contract exploit. But rather, it’s a latent phishing attack. The hacker appeared to be using a helper contract that was deployed 30 days ago to call an OS contract deployed over four years ago, with valid atomicMatch data (for those interested in a full technical breakdown, here’s a more detailed overview).
In a tweet posted a half-hour after users initially noted the activity, OpenSea confirmed the rumors, stating that the event appeared to be a phishing attack originating outside of OpenSea’s website. In the post, the company urged users not to click any links outside of the official site.
Several hours later, at 11 pm EST, OpenSea co-founder and CEO, Devin Finzer, took to Twitter to clarify exactly what happened. Finzer reiterated that, according to internal investigations, it was a phishing attack, and he stated that at least 32 users had signed a malicious payload from the attacker. Beyond that, he noted that the company was still searching for answers. “We are not aware of any recent phishing emails that have been sent to users, but at this time we do not know which website was tricking users into maliciously signing messages,” he said.
An old bug and new update collide
OpenSea had just unveiled the new smart contract upgrade the day prior, on Feb. 18, 2022.
In an official statement announcing the upgrade, the company said that it was designed to remove inactive listings on the platform. “This new upgrade will ensure old, inactive listings on Ethereum securely expire and allow us to offer new safety features in the future,” they said. Because of the upgrade, all OpenSea users were required to migrate their NFT listings to the new smart contract.
Unfortunately, this isn’t the first time such problems have arisen. In fact, this latest update came about precisely because it was intended to fix a previous bug, one which also cost users their money and NFTs.
In January of 2022, a bug on OpenSea enabled attackers to buy secure NFTs for far, far less than they were actually worth. The bug, which was initially discovered around Dec. 31, 2021, permitted attackers to make purchases at older, lower prices. Tal Be’ery, Chief Technology Officer of ZenGo crypto wallet, noted that one NFT from the BAYC collection was listed under its July 2021 price of just 23 ether. After purchasing it at that rate, the attacker was able to sell it for 135 ether.
That’s a profit approaching nearly $300k for the attacker, by today’s standards, and it resulted in massive losses for the unfortunate seller.
The bug ultimately came about as a result of the way in which OpenSea’s platform interacts with the Ethereum blockchain. To break this down, the platform often saves gas fees by listing offers locally, as opposed to coding them into the broader chain. However, a bug in the system allowed old contracts to stay on the blockchain without appearing in OpenSea. Many of the contracts were years old. By making offers against those contracts, attackers could take advantage of the out-of-date prices.
OpenSea did respond to the issue and offer users a refund, of sorts. Unfortunately, many we’re left unhappy with their offer.
Ironically, the latest upgrade was meant to fix this exact bug. OpenSea clarified that the new system is intended to allow individuals to cancel all unfilled contracts while incurring only minimal gas fees. However, it appears to have caused even more problems for some users who fell prey to the phishing attack.