Hackers stole highly valued Non-Fungible Tokens (NFTs) from opensea. It appears the hackers exploited an upgrade from opensea to a new smart contract by commencing a phishing attack.
Opensea issued an upgrade a couple of days ago, requesting users to migrate their listings. ‘In 1 week, at 2pm ET on Friday, February 25, any listings you haven’t migrated will expire. If you miss the migration window, you’ll be able to re-list any expired listings without incurring additional fees (including gas fees).’
Due to the short notice it allowed hackers to exploit the upgrade notification that was sent via email to all users in the NFT marketplace.
The upgrade is meant to solve old issues that are caused by old listings. If a trader lists an NFT for sale in opensea gas fees are required for the listing.
Let’s take a scenario where the trader lists an NFT for 1 ETH, gas fees were paid. When the trader wishes to relist the NFT for 2 ETH, opensea allows it to be relisted without an additional charge of gas fees.
However, the old listing (1 ETH) is never really cancelled. In order to cancel the old listing gas fees are required per listing. As opendea is allowing relisting without paying gas fees, if NFTs that are currently worth over $50,000 were ever listed for sale at $20 a year ago, the $20 listing is still present.
Another concern is when the listing is cancelled it can be exploited in the
blockchain
Blockchain
Blockchain comprises a digital network of blocks with a comprehensive ledger of transactions made in a cryptocurrency such as Bitcoin or other altcoins.One of the signature features of blockchain is that it is maintained across more than one computer. The ledger can be public or private (permissioned.) In this sense, blockchain is immune to the manipulation of data making it not only open but verifiable. Because a blockchain is stored across a network of computers, it is very difficult to tamper with. The Evolution of BlockchainBlockchain was originally invented by an individual or group of people under the name of Satoshi Nakamoto in 2008. The purpose of blockchain was originally to serve as the public transaction ledger of Bitcoin, the world’s first cryptocurrency.In particular, bundles of transaction data, called “blocks”, are added to the ledger in a chronological fashion, forming a “chain.” These blocks include things like date, time, dollar amount, and (in some cases) the public addresses of the sender and the receiver.The computers responsible for upholding a blockchain network are called “nodes.” These nodes carry out the duties necessary to confirm the transactions and add them to the ledger. In exchange for their work, the nodes receive rewards in the form of crypto tokens.By storing data via a peer-to-peer network (P2P), blockchain controls for a wide range of risks that are traditionally inherent with data being held centrally.Of note, P2P blockchain networks lack centralized points of vulnerability. Consequently, hackers cannot exploit these networks via normalized means nor does the network possess a central failure point.In order to hack or alter a blockchain’s ledger, more than half of the nodes must be compromised. Looking ahead, blockchain technology is an area of extensive research across multiple industries, including financial services and payments, among others.
Blockchain comprises a digital network of blocks with a comprehensive ledger of transactions made in a cryptocurrency such as Bitcoin or other altcoins.One of the signature features of blockchain is that it is maintained across more than one computer. The ledger can be public or private (permissioned.) In this sense, blockchain is immune to the manipulation of data making it not only open but verifiable. Because a blockchain is stored across a network of computers, it is very difficult to tamper with. The Evolution of BlockchainBlockchain was originally invented by an individual or group of people under the name of Satoshi Nakamoto in 2008. The purpose of blockchain was originally to serve as the public transaction ledger of Bitcoin, the world’s first cryptocurrency.In particular, bundles of transaction data, called “blocks”, are added to the ledger in a chronological fashion, forming a “chain.” These blocks include things like date, time, dollar amount, and (in some cases) the public addresses of the sender and the receiver.The computers responsible for upholding a blockchain network are called “nodes.” These nodes carry out the duties necessary to confirm the transactions and add them to the ledger. In exchange for their work, the nodes receive rewards in the form of crypto tokens.By storing data via a peer-to-peer network (P2P), blockchain controls for a wide range of risks that are traditionally inherent with data being held centrally.Of note, P2P blockchain networks lack centralized points of vulnerability. Consequently, hackers cannot exploit these networks via normalized means nor does the network possess a central failure point.In order to hack or alter a blockchain’s ledger, more than half of the nodes must be compromised. Looking ahead, blockchain technology is an area of extensive research across multiple industries, including financial services and payments, among others. Read this Term by frontrunning. When an old listing is manually cancelled by the NFT owner, it can be exploited in the block via bots.
When the cancellation is in the block and yet to be confirmed, it can be exploited by executing the sale in the same block. For example, if an NFT that is currently worth $50,000 was ever listed for $10 and the owner cancels the listing, before it is confirmed in the block hackers may execute the sale of $10 in the same block before it is confirmed (‘frontrunning’).
Opensea’s upgrade is meant to tackle these issues by ensuring old listings will expire. However, due to the short notice hackers used a
The email announced the migration to the new smart contract. By clicking on ‘Get Started’ the user granted authorization to the hackers that drained the account of the NFTs.
Dozens of NFT holders were victimized by the phishing attack. The mutant ape yacht club NFTs, bored apes (BAYC) and Azuki are just some of the NFTs that are now owned by the hackers.
BoredApeYachClub #1277 that was last sold for 100 ETH (approximately $290,000) is among the NFTs that were stolen in the phishing attack.
Opensea issued the following statement, ‘We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website.’
Despite the statement and the circulation of the news NFTs are still being transferred to the malicious address at the time of this writing. The valued of the stolen NFTs is estimated to be over $1.6 million.
Hackers stole highly valued Non-Fungible Tokens (NFTs) from opensea. It appears the hackers exploited an upgrade from opensea to a new smart contract by commencing a phishing attack.
Opensea issued an upgrade a couple of days ago, requesting users to migrate their listings. ‘In 1 week, at 2pm ET on Friday, February 25, any listings you haven’t migrated will expire. If you miss the migration window, you’ll be able to re-list any expired listings without incurring additional fees (including gas fees).’
Due to the short notice it allowed hackers to exploit the upgrade notification that was sent via email to all users in the NFT marketplace.
The upgrade is meant to solve old issues that are caused by old listings. If a trader lists an NFT for sale in opensea gas fees are required for the listing.
Let’s take a scenario where the trader lists an NFT for 1 ETH, gas fees were paid. When the trader wishes to relist the NFT for 2 ETH, opensea allows it to be relisted without an additional charge of gas fees.
However, the old listing (1 ETH) is never really cancelled. In order to cancel the old listing gas fees are required per listing. As opendea is allowing relisting without paying gas fees, if NFTs that are currently worth over $50,000 were ever listed for sale at $20 a year ago, the $20 listing is still present.
Another concern is when the listing is cancelled it can be exploited in the
When the cancellation is in the block and yet to be confirmed, it can be exploited by executing the sale in the same block. For example, if an NFT that is currently worth $50,000 was ever listed for $10 and the owner cancels the listing, before it is confirmed in the block hackers may execute the sale of $10 in the same block before it is confirmed (‘frontrunning’).
Opensea’s upgrade is meant to tackle these issues by ensuring old listings will expire. However, due to the short notice hackers used a
The email announced the migration to the new smart contract. By clicking on ‘Get Started’ the user granted authorization to the hackers that drained the account of the NFTs.
Dozens of NFT holders were victimized by the phishing attack. The mutant ape yacht club NFTs, bored apes (BAYC) and Azuki are just some of the NFTs that are now owned by the hackers.
BoredApeYachClub #1277 that was last sold for 100 ETH (approximately $290,000) is among the NFTs that were stolen in the phishing attack.
Opensea issued the following statement, ‘We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website.’
Despite the statement and the circulation of the news NFTs are still being transferred to the malicious address at the time of this writing. The valued of the stolen NFTs is estimated to be over $1.6 million.
