Leading Ethereum NFT Marketplace OpenSea created an opportunity for hackers when the platform announced a new smart contract upgrade with a one-week deadline on February 20. The week-long planned upgrade to delist inactive NFTs opened up a window of opportunity for hackers to use a phishing attack on NFT holders.
The OPENSEA upgrade requires users to migrate their listed NFTs on Ethereum to a new smart contract. Additionally, OpenSea is waiving all gas fees to allow users to perform the move without cost. As a direct result of the upgrade, users that don’t migrate over from Ethereum risk losing their old, inactive listings. They would then need to list their items again, potentially paying gas fees again.
Within hours after OpenSea’s upgrade announcement, reports across several sources, including OpenSea, emerged about an ongoing attack that targets the soon-to-be-delisted NFTs. OpenSea was quick to respond and tried to educate users and solve the issue quickly.
Further analyses uncovered by Peckshield identified that the attacker used phishing emails to steal the NFTs before migrating to OpenSea’s new smart contract. Once a user authorizes the NFT migration from the fraudulent email, the attackers access the NFTs. The details of the hack reveal how the bad actor has been plotting the attack for a few weeks.
OpenSea NFT Hack Explained
Thanks to a Twitter onlooker, we can break down the attack to see how it happened. The attack formally began 28 days ago when the hacker uploaded a new smart contract to capture as many signatures as possible.
The hacker then starts sending phishing emails telling receivers to sign a message to log in and migrate to the new OpenSea smart contract to make a sale. Instead, receivers are signing a private deal worth 0 ETH, allowing the hacker to buy your NFT for zero later.
Then the bad actor waited for the window of opportunity when users would rush to take action on their NFTs for fear of losing them. On February 20, they executed the smart contract function to steal the NFTs before the listings expired. All this is made possible because they already have your signatures stored on a server.
The deeper technical side of the hack has been explained here for those interested. In short, NFT holders may receive an email that looks like the below screenshot telling them they received an offer on an NFT they don’t know or may have in their wallet but forgotten about. Of course, you want to sell it, and you click.
OpenSea co-founder and CEO Devin Finzer acknowledged the phishing attack and confirmed that 17 users had been identified as affected thus far. While the NFT marketplace is yet to decipher the ongoing attack, blockchain investigator Peckshield suspects a possible leak of user information (including email details) that fuels the phishing attack.
However, Finzer has asked affected users to reach out to the company as he concluded:
“If you are concerned and want to protect yourself, you can un-approve access to your NFT collection.” Users are now advised to be wary of all communications from OpenSea and revoke all permissions about the migration to the new smart contract.
How to revoke access to your NFTs
Amidst the confusion, the best possible action to take is to revoke access to your NFT collections and items.
For tokens on the Ethereum network, using Etherscan helps you to know the number of smart contracts you have approved on your wallet. The Etherscan tool is a data aggregator for all tokens built via the ERC20 standard. So you can always get to see ongoing transactions on every ERC20 token.
Aside from that, this is also a valuable tool for assessing your token approvals list. Through Etherscan, you can revoke access to your wallet. When you revoke access to your wallet, you will need to approve access again the next time you enter that dapp. However, your tokens won’t be gone. No worries. Now, let’s get to the crux of the whole discourse.
- Open Metamask, make sure you’re logged in. Click the wallet address to copy it.
- Go to the Token Approval Checker on Etherscan. The service is currently in beta and can be found once you log in to Etherscan > More > Tools > Token Approvals.
- Paste your wallet address > press search
- The page will now show all approved smart contract interactions with that particular wallet.
- Click the “Connect to Web3” button, to connect Etherscan to your wallet active in Metamask.
- Once connected, you can click the “Revoke” button on the right side to make sure a certain dapp no longer has access to your wallet. Keep in mind, there are gas fees involved in revoking access. However, the choice between spending $5 or losing $5,000 is presumably pretty easy.
As mentioned, OpenSea is all over the attack and trying hard to educate the community and stop it. The attack does not appear to be operational at writing, with no activity on the malicious contract in around 15 hours.
Stay Safe
The best thing to do right now is to revoke access from OpenSea using the instructions above. Then, keep a close eye on the OpenSea Twitter as they continue to unravel and inform the community on staying safe.
The above does not constitute investment advice. The information given here is purely for informational purposes only. Please exercise due diligence and do your research. The writer holds ETH, BTC, AGIX, HEX, LINK, GRT, CRO, OMI, IMMUTABLE X, GALA, AVASTR, GMEE, CUBE, RADAR, FLOW, FTM, BNB, SPS, WRLD, ATOM, and ADA.
