Unfortunately, the weekend passed with some very disappointing news coming from the platform OpenSea.
According to the reports, on Saturday, it seems that attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base.
254 tokens were stolen
It’s been reported that a spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack.
It’s also important to note that this included tokens from Decentraland and Bored Ape Yacht Club.
The Verge online publication notes that the bulk of the attacks took place between 5 PM and 8 PM ET, and it targeted 32 users in total.
Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.
The Verge notes the following:
“The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea.”
It’s been also reported that one explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts:
“first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment.”
One of the largest signature phishing attacks just happened.
Here’s a 🧵 on how to avoid getting hacked by signature attacks 👇
— Treasure Seeker (@treasuresETH) February 20, 2022
According to the same reports, all in all, the targets of the attack had signed a blank check, and once it was signed, attackers filled in the rest of the check to take their holdings.
“I checked every transaction,” said the user, who goes by Neso.
The user continued:
“They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong.”
Check out more details in the original post.