Today, Feb. 19, 2022, OpenSea users started to notice some strange activity on the company’s platform. It appeared that an attacker was using a smart contract to interact with OpenSea’s new exchange contract and steal millions of dollars worth of NFTs. nft now quickly verified the transactions. At the time of publication, the attacker had already stolen several of the world’s most popular — and expensive — NFTs from a number of different users.
The stolen NFTs included four Azukis, two Coolmans, two Doodles, two KaijuKings, one Mutant Ape Yacht Club (MAYC), one Cool Cat, and one Bored Ape Yacht Club (BAYC). The attacker then quickly sold the stolen NFTs to other users to turn a profit. So far, they’ve stolen more than $1.7 million in NFTs. And they are still going.
Editor’s note: At the time of publication, the attacker had stolen $700k in NFTs. That number rose to $1.7 million just twenty minutes later.
The hacker appeared to be using a helper contract that was deployed 30 days ago to call an OS contract deployed over four years ago, with valid atomicMatch data. In this respect, the move didn’t appear to be caused by a generalized smart contract exploit. But rather, a latent phishing attack.
In a tweet posted a half-hour after users initially noted the activity, OpenSea confirmed the rumors, confirming that it appeared to be a phishing attack originating outside of OpenSea’s website. In the post, the company urged users not to click any links outside of the official site.
An old bug and new update collide
OpenSea had just unveiled the new smart contract upgrade the day prior, on Feb. 18, 2022.
In an official statement announcing the upgrade, the company said that it was designed to remove inactive listings on the platform. “This new upgrade will ensure old, inactive listings on Ethereum securely expire and allow us to offer new safety features in the future,” they said. Because of the upgrade, all OpenSea users were required to migrate their NFT listings to the new smart contract. The attack appeared to be targeting users who had manually migrated their NFTs.
Unfortunately, this isn’t the first time such problems have arisen. In fact, this latest update came about because of a previous bug that also cost users their money and NFTs.
In January of 2022, a bug on OpenSea enabled attackers to buy secure NFTs for far, far less than they were actually worth. The bug, which was initially discovered around Dec. 31, 2021, permitted attackers to buy NFTs at older, lower prices. Tal Be’ery, Chief Technology Officer of ZenGo crypto wallet, noted that one NFT from the BAYC collection was listed under its July 2021 price of just 23 ether. After purchasing it at that rate, the attacker was able to sell it for 135 ether. That’s a profit approaching nearly $300k for the attacker, and it resulted in massive losses for the unfortunate seller.
The bug ultimately came about as a result of the way in which OpenSea’s platform interacts with the Ethereum blockchain. To break this down, the platform often saves gas fees by listing offers locally, as opposed to coding them into the broader chain. However, a bug in the system allowed old contracts to linger on the blockchain without appearing in the OpenSea interface. By making offers against those contracts, which were often years old, attackers could take advantage of badly out-of-date prices — usually taking token-owners by surprise.
Ironically, the latest upgrade was meant to fix this exact bug. OpenSea clarified that the new system is intended to allow individuals to cancel all unfilled contracts while incurring only minimal gas fees. However, it appears to have caused even more problems for some users.
We reached out to OpenSea, but they did not immediately respond to requests for comment. We will update this article with any responses we receive. This is a developing story and will be updated as new information comes in.
If this article, video or photo intrigues any copyright, please indicate it to the author’s email or in the comment box.