On February 19, 2022 (February 20, Beijing time), OpenSea users (https://twitter.com/jon_hq/status/1495194178355011586?s=21) began to notice some strange transactions on the OpenSea platform. It appears that an attacker is using old smart contracts to interact with OpenSea's updated contracts and steal millions of dollars worth of NFTs. We quickly verified that these transactions were indeed not the work of the NFT owners. At the time of publication, the attackers had already stolen several of the world's most popular – and most expensive – NFTs from a number of different users.
Twitter users Jon_HQ screenshots of tweets
If you are worried about this and want to protect your NFT assets, you can revoke the platform's access to your NFT collection here (https://etherscan.io/tokenapprovalchecker).
Ultimately, the stolen NFTs included four Azukis, two Coolmans, two Doodles, two KaijuKings, a Mutant Ape Yacht Club (MAYC), a Cool Cat, and a Bored Ape Yacht Club (BAYC). The attackers then quickly sell the stolen NFTs to other users for a profit. So far, the attackers have sold more than $1.7 million in stolen NFTs.
Editor's Note: At the time of publication, the attackers had sold $700,000 in stolen NFTs. Just twenty minutes later, that number rose to $1.7 million. However, the total amount of stolen NFT assets appears to be millions of dollars higher.
The move doesn't appear to have been caused by a pervasive smart contract vulnerability. Rather, it is a potential phishing attack. The hackers appeared to be using a secondary contract deployed 30 days ago to invoke an operating system contract deployed more than four years ago and using valid atomicMatch data (for those interested in full technical details, here's a more detailed overview https://twitter.com/Nesotual/status/1495223117450551300).
In a tweet half an hour after users initially noticed the campaign, OpenSea confirmed the rumor, saying the incident appeared to have stemmed from a phishing attack outside of The OpenSea website. In the post, the company urged users not to click on any link outside of the official website.
A few hours later, at 11 p.m. ET, OpenSea co-founder and CEO Devin Finzer took to Twitter to clarify what had happened. Finzer reiterated that it was a phishing attack based on an internal investigation, saying that at least 32 users had signed up to the attacker's malicious payload. In addition to this, he noted that the company is still looking for vulnerabilities. "We don't know exactly what phishing emails have been sent to Opensea users recently, and we're still analyzing what sites are defrauding users and getting them to sign malicious contracts."
An old bug collides with a new update
Screenshot of the attacker's transaction
OpenSea just released a new smart contract upgrade the day before, February 18, 2022.
In an official statement announcing the upgrade, the company said it aimed to remove the inactive list on the platform. "This new upgrade will ensure that old, inactive listings on Ethereum are safely expired and allow us to offer new security features in the future," they said. As a result of the upgrade, all OpenSea users were asked to migrate their NFT lists to the new smart contract.
Unfortunately, this is not the first time this has occurred. In fact, this latest update is precisely because of a bug that is necessary to fix the previous bug, which also cost users their money and NFTs.
In January 2022, a vulnerability on OpenSea allowed attackers to buy secure NFTs for much less than their actual value. This vulnerability was originally discovered around December 31, 2021, and it allows attackers to make purchases at a lower old price. Tal Be'ery, chief technology officer of the ZenGo cryptocurrency wallet, noted that one of the NFTs of the BAYC series was listed under its Price in July 2021, with only 23 Ethers. After buying at this price, the attacker was able to sell for 135 Ethers.
By today's standards, this would be close to $300,000 in profits for the attackers, and for the unfortunate seller, it would result in huge losses.
This error ultimately stemmed from the way OpenSea's platform interacted with the Ethereum blockchain. Taken separately, the platform often saves on gas bills by listing quotes locally, rather than encoding them into a broader chain. However, a mistake in the system allowed the old contract to remain on the blockchain without appearing in OpenSea. Many contracts were made years ago. By quoting these contracts, attackers can naturally take advantage of outdated prices to sweep goods.
OpenSea did respond to this question and offered users some level of refunds. Unfortunately, many people are not satisfied with their proposals.
Ironically, the latest upgrade is meant to fix this exact bug. OpenSea clarified that the purpose of the new system is to allow individuals to cancel all outstanding contracts while incurring only minimal gas charges. However, this seems to pose more problems for some users who have suffered phishing attacks.
We contacted OpenSea but they did not immediately respond to the request for comment. We will update this article based on any responses we receive. This is a story in development, and we will update it as soon as new information emerges.