Possible Vulnerabilities on the NFT Marketplace OpenSea

Leading NFT marketplace OpenSea is investigating “rumors of an exploit” related to smart contracts associated with its platform. Earlier, a series of tweets from concerned NFT traders went viral. The vulnerability could have cost them many valuable NFTs.

The following was posted on OpenSea’s Twitter account: “We are actively investigating rumors of an exploit related to OpenSea smart contracts. It appears to be a phishing attack originating from outside the OpenSea website. People should not click on links outside of opensea.io.”

Born2Invest mobile application is bringing all the crypto and business news from trusted sources to a single screen so you can stay on top of the market. The application is aggregating the most important and breaking news from relevant websites, the list is always revised and updated with new resources. 

Phishing on the NFT marketplace OpenSea

NFT traders wrote on Twitter that they allegedly received official emails from OpenSea about the migration of smart contracts.

Well-known security firm PeckShield reviewed the smart contracts and stated that the exploit in question was “most likely phishing.” A seemingly normal link hides a smart contract that hackers can use to gain access to NFTs. PeckShield cited emails about the migration process as a possible source of the link.

The alleged attacker’s address contains about $1.7 million worth of Ether, as well as two Cool Cats NFTs, three Bored Ape Yacht Club NFTs, a Doodle NFT, and an Azuki NFT. Etherscan subsequently placed a “phish/hack” warning label on the address.

OpenSea was planning to change its smart contract (basically the code for its trading platform) by releasing a brand new contract on Friday. The idea was that the updated contract would take care of deleting old and inactive listings on OpenSea.

Last month, the company sent users a short email with the subject “Clarification on Cancelling Inactive Listings.” The email reminded users to delete old listings.

The problem with smart contracts

The cancellation of an old listing is still an on-chain transaction, meaning it is added to the very end of the blockchain. Cybercriminals looking for new transactions might notice someone deleting an old entry. As a result, they start digging through the other old entries to find an offer below market price.

Some hackers pay an additional fee to front-run a cancellation and make a sale before the user can complete the transaction. Frontrunning is a common problem on Ethereum and other proof-of-work blockchains.

OpenSea has not been able to fix the issue at the time of writing. Most recently, the following announcement was published: “Our team has been working around the clock to investigate the specific details of this phishing attack. While we haven’t yet determined the exact source, we wanted to share a couple of EOD updates.”

__

(Featured image by Marco Verch Professional Photographer CC BY 2.0  via Flickr)

DISCLAIMER: This article was written by a third party contributor and does not reflect the opinion of Born2Invest, its management, staff or its associates. Please review our disclaimer for more information.

This article may include forward-looking statements. These forward-looking statements generally are identified by the words “believe,” “project,” “estimate,” “become,” “plan,” “will,” and similar expressions. These forward-looking statements involve known and unknown risks as well as uncertainties, including those discussed in the following cautionary statements and elsewhere in this article and on this site. Although the Company may believe that its expectations are based on reasonable assumptions, the actual results that the Company may achieve may differ materially from any forward-looking statements, which reflect the opinions of the management of the Company only as of the date hereof. Additionally, please make sure to read these important disclosures.

First published in CRYPTO MONDAY, a third-party contributor translated and adapted the article from the original. In case of discrepancy, the original will prevail.

Although we made reasonable efforts to provide accurate translations, some parts may be incorrect. Born2Invest assumes no responsibility for errors, omissions or ambiguities in the translations provided on this website. Any person or entity relying on translated content does so at their own risk. Born2Invest is not responsible for losses caused by such reliance on the accuracy or reliability of translated information. If you wish to report an error or inaccuracy in the translation, we encourage you to contact us.