How The OpenSea Attack Has Led To Millions Worth of Stolen NFTs

OpenSea is the largest NFT marketplace on Ethereum Blockchain by trading volume. It has now issued a solution to its current problems that includes inactive listing.

This was in response to an exploit that OpenSea had recently discovered. They then scammed millions of NFT users. Although the exact amount of the damage has not been determined, Check Point Research, an intelligence research group focused on threat intelligence, has estimated that it is more than $3 million.

Check Point Research’s post-exploit analysis revealed that threat actors used the upgrade process to make use of an OpenSea email and then resend it to uninformed users. The OpenSea contract details reveal that the atomicMatch Request was sent to this address and then transferred to other addresses with the Fake_Phishing Initial. OpenSea uses atomicMatch to ensure minimal trust in trades on its NFT trading platform. All conditions for a transaction must be met before an atomic transfer can occur.

Oded Vanunu is Head of Products Vulnerability at Check Point and shares his insight and advice about how to sign for NFT transactions safely.

What should you do? Many websites and projects ask for permanent access to your NFTs. They send you a transaction to sign. If you do not approve the transaction, the transaction will allow the websites/projects to access your NFT at any time. Signing a transaction gives permission for someone to access your NFTs or cryptocurrencies. Signing is dangerous. Be extra careful about where and when transactions are signed. Phishing emails can be difficult to spot. No matter the sender, we don’t recommend clicking links in emails. Always try to find the same information at the website provider.

Vanunu explains further the steps involved in the attack and lists the steps that the exploit follows:

  1. Victim clicks on malicious link in phishing email
  2. This link opens a phishing site and asks for the victim’s signature to complete a transaction.
  3. By signing the transaction an atomicMatch_ request would be sent to 0xa2c0946ad444dccf990394c5cbe019a858a945bd (attacker contract).
  4. Attacker than forward the request to atomicMath at 0x7be8076f4ea4a4ad08075c2508e481d6c946d12b (OpenSea contract)
  5. OpenSea Contract verifies the details of the transaction and executes it because all is signed and approved by the victim.
  6. OpenSea contracts communicate with NFT contracts and transfer NFT from the victim back to the attacker in accordance to the atomicMatch parameters.

How to exploit the atomicMatch_ signature

Check Point Research says that the threat actor also conducts a dry run in order to simulate the attack environment. The threat actor then runs the same process, and even verifies that the attack on OpenSea is successful.

Disclaimer: This article is intended for informational purposes only. This article is not intended to be used for legal, tax, investment or financial advice.

Read More