A hacker stole millions of dollars worth of NFTs from OpenSea users over the weekend. The incident has highlighted the importance of operational security in Web3.
OpenSea Hack Highlights Security Risks
On Feb. 19, multiple OpenSea users reported that their wallets had been drained of valuable NFTs from collections like Bored Ape Yacht Club and Azuki. The total value of the haul was estimated at around $3 million. The next day, OpenSea said that it believed the root cause was a phishing attack that originated “outside of OpenSea.”
The attack targeted 32 users. It’s believed that they were lured into clicking malicious links to sign a rogue smart contract that gave permission for their NFTs to be transferred to another wallet. As a result, the hacker was able to drain over 250 NFTs in a matter of hours.
OpenSea makes use of off-chain signatures to execute gasless trades on behalf of its users. They can be executed automatically, which means users do not need to be online for an NFT order to be filled. It’s thought that the hacker tricked the victims into signing transactions with Wyvern, an NFT exchange protocol used by OpenSea.
A pseudonymous Solidity developer known as foobar posted a tweet storm following the incident in which they said that the victims signed malicious code that allowed the hacker to drain the NFTs to a “target address” they controlled. To convince the victims to sign the code, it’s believed that they posed as OpenSea through an email or other communication format.
The incident highlights the need for exercising caution when signing smart contract transactions. It also serves as a reminder of the risks found in every corner of Web3 and the importance for users to educate themselves about the threats within the evolving landscape. To mitigate the risks of falling victim to such attacks, there are several steps active Web3 users can take to protect themselves.
As a first step toward securing NFTs or other crypto assets, it’s important to know how to revoke permissions associated with a crypto wallet. Phishing attacks like the OpenSea hack are a major concern because signing only one malicious signature may result in the loss of every NFT stored in a wallet. If you trade on OpenSea and permitted the off-chain signature with Wyvern Exchange V1 contract, revoking permission to spend the funds is one way to reduce the risk of a hacker draining funds on the contract.
Users can revoke wallet permissions by going to the Token Approval page on Etherscan, connecting their wallet, and finding the token approvals for each application the wallet has interacted with.
Avoid Blind Signatures
Following the OpenSea hack, the company’s Chief Technology Officer Nadav Hollander said in a tweet storm that valid signatures from the victims were exploited on the Wyvern V1 contract (before the OpenSea migrated to Wyvern V2.3). Users “did sign an order somewhere, at some point in time, at some point in time,” he said. This suggests that the victims may have inadvertently signed malicious contracts.
In the past, crypto phishing attacks have tricked users into entering their wallet’s seed phrase, allowing for the hacker to access their wallet and steal the funds. In some instances, hackers have acquired permission to spend funds by luring users in with fake airdrops. The latest OpenSea incident was different as the hacker attempted multiple collectors at once. It shows that in addition to being cautious with seed phrases, users need to be careful with signing off-chain messages and interacting with suspicious contracts.
Once a signature is signed, a third party can spend funds on behalf of users even if the funds are held in a hardware wallet. Hence, it is crucial for users to take care when executing gasless signatures on OpenSea or other applications. Some blockchain experts recommend against approving all blind signatures.
Such signatures contain only a hex code that shows up only as an Ethereum address; they do not provide additional details about the transaction. EIP-712 signatures, however, give more clarity becasue they show complete transactional data related to the time of a signature request. Per Hollander, the EIP-712 format that comes with the recently migrated OpenSea contracts makes it “much more difficult for bad actors to trick someone into signing an order without realizing it.”
Be Wary of Mixing Web3 and Emails
In connection with the OpenSea incident, multiple reports of phishing email campaigns have surfaced. It’s thought that the hacker sent out an email posing as OpenSea urging them to authorize a migration of their NFT listings to the new Wyvern contract. After clicking through, it appears the users signed transactions that gave the hacker permission to drain their wallets.
Thanks to the rise of deep fake emails, hackers have found ways to send emails that appear to resemble any email domain they like. Users should be wary of all emails that demand a transaction from MetaMask or any other Web3 wallet, even if it appears to be from an official source. One of the best tips in operational security is to avoid interacting with Web3 applications using links posted via email or social media. In fact, it’s best to avoid clicking on any crypto-related links unless they are from an official source.
Besides taking caution when signing transactions and avoiding phishing attacks, there are other steps crypto users can take to stay protected. It’s a good idea, for example, to move high-value assets like NFTs to cold storage devices that do not interact with any applications. To learn more about safeguarding NFTs from hackers, check out beginner’s guide feature.