An NFT-related cybersecurity incident involving the OpenSea NFT marketplace took place over the weekend. Apparently, threat actors exploited a smart contract migration to deceit 17 users, resulting in a loss of nearly 3 million dollars worth of NFTs (non-fungible tokens).
OpenSea Hack: What Happened?
On February 19, hackers emptied the wallets of 17 users. One of the possible reasons is “a new contract that OpenSea had rolled out, or an airdrop from a new NFT marketplace called X2Y2.” As a result, NFT owners were urged to revoke permissions for both the OpenSea contract and for X2Y2 until more details were revealed, although one of the most popular websites helping people do so went down shortly after from the high traffic, according to a post dedicated to the incident.
Shortly after the incident, users started reporting missing NFTs, and the platform acknowledged the issue, tweeting about the issue. According to the tweet, they initiated an investigation regarding an exploit associated with smart contracts related to OpenSea. Apparently, a phishing attack is to blame, coming from outside of the platform, rather than an issue with the contract itself. Later, it was determined that a threat actor had successfully phished 17 OpenSea users into signing a malicious contract, allowing him to take the NFTs and then flip them.
What is strange is that the hacker returned some of the non-fungible tokens to their original owners. Moreover, one of the victims even received 50 ETH, or $130,000 from the hacker in addition to some of his stolen NFTs. The hacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, equaling to $2.9 million.
The Risk of Smart Contracts and NFTs
Smart contracts are fundamental to the design of NFT tokens. However, they also create security loopholes in the existing NFT market. We have another real-world example to illustrate these risks – an attack against DeFi-based Poly Network. In this attack, threat actors stole nearly $600 million. You can learn more about the risks stemming from non-fungible tokens in our dedicated article.