Attackers have managed to steal hundreds of Non-fungible Tokens (NFT) from users of the popular marketplace, OpenSea. In a report the value of the stolen tokens was more than $1.7 million, said Molly White, who runs the blog Web3 is Going Great.
Around 254 tokens were stolen during the attack including tokens from Decentraland and the Bored Ape Yacht Club. This was revealed by Spreadsheet, which was compiled by Blockchain security service PeckShield.
Most attacks occurred between 5 p.m. and 8 p.m. ET Saturday (19/2/2022) on Sunday (20/2/2022). The theft targeted a total of 31 users, as quoted from The Verge, Monday (21/2/2022).
The Verge writes the attack appears to exploit flexibility in the Wyvern Protocol. This is the open source standard that underlies most NFT smart contracts, including those created on OpenSea.
In the link OpenSea CEO Devin Finzer provided, the attack is described in two parts. The victim signed a partial contract with general authorization and was left mostly blank.
With the signature in place, the offender will conclude the contract with a call to their own contract. This section will transfer ownership of NFT without payment.
At the time of the attack, OpenSea was in the process of updating its contract system. The company also denied the attacks stemmed from the new contract.
On Twitter shortly after the incident, Devin Finzer shared a number of his findings. He said the attacks did not originate from the OpenSea website, its various listing systems, or any email from the company.
The fast attack rate indicates a number of common attack vectors but no links have been found so far.