- The source of the OpenSea phishing attack is still unclear
- Attackers made off with $2.9 million worth of ETH after stealing and selling NFTs
- A recent contract migration is now not thought to be the cause
The source of the phishing attack that saw $2.9 million in NFTs stolen from users over the weekend is still unclear, 48 hours after the assets were taken. Investigations from OpenSea, blockchain security companies, and security individuals have revealed several key details about the attack, but no one has yet managed to confirm at what point the victims signed the smart contract that allowed the hackers to take control. Suggestions that the new upgraded contract were to blame have been dismissed, with the malicious code being authorized by users before the migration.
Low Victim Count Suggests Hack Not the Cause
The alarm was raised over a potential OpenSea exploit on Saturday when victims began to report that their NFTs were leaving their wallets without their consent. This led to immediate assumptions that the platform had been hacked, with the finger quickly pointed at OpenSea’s new migration contract, which went live last week:
Guys I’m getting this while listing my work. WTF is Wyvern. Shit @opensea contract is rugged#OpenSeaNFT pic.twitter.com/7d0njuMEcE
— Milanzrt.eth✨(Milan) (@milanzrt) February 20, 2022
However, subsequent investigations revealed that there were only 32 victims, suggesting that a platform-wide vulnerability was not the cause. A phishing attack soon emerged as a more likely alternative, with the 32 individuals thought to have fallen victim to a spoof email or something similar.
However, OpenSea co-founder and CEO Devin Finzer revealed that there had been no reports of suspicious emails from users, leaving everyone scratching their heads as to how the hackers managed to gain access to the users’ NFTs.
OpenSea Migration Contract Exploit Cleared
One potential target that was dismissed was OpenSea’s recent smart contract upgrade, which some initially said was how the hackers were able to steal the NFTs. However, it was revealed that none of the malicious orders were executed against the new contract (Wyvern 2.3), indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow.
Bizarrely, the hacker returned some of the NFTs to their original owners, with one victim inexplicably receiving 50 ETH ($130,000) from the attacker as well as some of their stolen NFTs back. Peckshield revealed that the attacker later transferred 1,110 ETH obtained from the attack to the Tornadocash mixer.
OpenSea has said that investigations will continue until the source of the phishing exploit has been clarified.