OpenSea phishing attack, here’s what happened
The phishing attack against users of the popular OpenSea NFT marketplace, was planned well ahead of the actual theft of user’s NFT. The attacker utilized both phishing email tactics and exploited dated smart contracts.
Another attack on users of the NFT marketplace OpenSea emerged yesterday February 20th. As reported by CryptoSlate, the CEO of the NFT marketplace, Devin Finzer, tweeted that it’s likely a phishing attack and not connected to the platform directly. However, he pointed out that investigations were still ongoing.
Blockchain records show that hackers were able to get access to users’ wallets and steal several NFTs. So far, NFTs stolen include Bored Apes, Mutant Apes, and several other popular collections. The attacker stole close to $2 million worth of NFT.
The gist of the modus operandi of the attacker is that the attacker launched a smart contract on the Ethereum blockchain over a month prior to the actual thefts. It’s evident that the attacker was planning the operation well in advance. The attacker then sent several users emails urging them to move their NFTs from an old OpenSea smart contract to a new one; the new contract was developed to address bugs discovered after an earlier attack.
Attacker mimicked a genuine OpenSea email
OpenSea did send a genuine email to users asking them to transition their NFTs to the new contract. The attacker imitated the OpenSea email, but with links pointing to the attacker’s smart contract.
This false contract, in turn, initiated signing of open sell orders of users’ NFTs, which the attacker collected without making any rushed attempt to steal the NFTs. These NFTs were up for sale, and the attacker used a very obscure signing message, difficult for users to interpret correctly. The signature essentially sold the NFTs for zero ether (ETH) to the attacker.
In a follow-up tweet, OpenSea CTO Nadav Hollander shared a technical run-down of the phishing attacks targeting OpenSea users.
“All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing,” Hollander tweets.
According to Hollander, None of the malicious orders were executed against the new Wyvern 2.3 contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow. A Wyvern contract is a decentralized digital asset exchange protocol running on Ethereum, and utilized by OpenSea to facilitate NFT trading on its platform.
“32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue. This information, coupled with our discussions with impacted users and investigation by security experts, suggests a phishing operation that was executed ahead of the deprecation of the [older and buggy] 2.2 contract given the impending invalidation of these collected malicious orders,” Hollander tweets.
New contract supports EIP-712 typed data payloads
The new 2.3 version of the Wyvern contracts implement the Ethereum Improvement Proposal (EIP) 712, which among other things supports so-called typed data payloads which makes it much more difficult for bad actors to trick someone into signing an order without realizing it.
The phishing email sent by the attacker told users to sign a message to login on OpenSea and migrate sell orders to the new Opensea Wyvern 2.3 contract. Instead, users signed a private sale for zero ETH of the NFTs to the attacker. The attacker then executed the smart contract function to steal the NFTs before their listings expired. The attacker was able to do so because he had saved the user’s signature.
Additionally, as explained in a tweet by smart contract developer “foobar”, the attacker was able to steal the NFTs in batches, not needing to make the sales one by one.
“A single malicious signature can rug all [foobar’s emphasis] of your approved OpenSea NFTs. No need to sign an individual sell order for each one, as originally assumed,” foobar tweets. Normally, the atomicMatch_()-function in the smart contract is invoked twice to buy two NFTs, but the attacker called atomicMatch_() once to buy 21 NFTs.
According to foobar, there is a “delegatecall”, which means “take the code at target address, and execute it within the current context.”
“This is a dangerous pattern, because it means you’re subject to code injection. And that’s exactly what happened. The contract with approval permissions to move the NFTs requested code from the malicious helper contract, and that code said “transfer all NFTs to me”,” foobar tweets.
A malicious signature can take all of a user’s NFTs
This is a novel attack vector, according to foobar. The assumption that one signature equals one NFT does not hold. A malicious signature can take all of a user’s NFTs in a single transaction.
OpenSea CTO Nadav Hollander tweets that users need to learn to watch out for malicious off-chain signing messages, just as the community has learned not to share seed phrases or submitting unknown transactions. Hollander also calls for standardizing EIP-712 and EIP-4361.
“We as a community must move to standardizing off-chain signatures using EIP-712 typed data or other agreed-upon standards like EIP-4361 (the “Sign in with Ethereum” method).”
“On this point, you’ll notice that all new orders signed on OpenSea (including migrated orders) use the new EIP-712 format — a change of any kind is understandably scary, but this change actually makes signing much safer as you can better see what you’re signing,” Hollander tweets.
As for the investigation of the incident, the team at OpenSea is still in the middle of their research, in cooperation with the affected users.
“We’re actively working with users whose items were stolen to narrow down a set of common websites that they interacted with that might have been responsible for the malicious signatures. Huge thanks to the users that hopped on the phone with us directly,” OpenSea CEO Devin Finzer tweets.