Quite a rip off in the week on OpenSea, one of the reference platforms for the sale of NFT, non-fungible tokens, the decentralized certifications of the ownership of some physical or digital asset. The loot would be from 641 Ether, approximately 1.5 million euros: according to a report drawn up by PeckShield the attackers would have targeted 32 accountsubtracting from them a total of 254 token including some belonging to collections of a certain value such as Azurki, Bored Ape Yacht Club, Doodle and Cool Cats.
But what was the real dynamics of the theft, which took place on February 19? According to OpenSea, the platform has nothing to do with it. According to some experts, the hackers exploited a feature of the Wyvern Protocol, an open source reference standard for many platforms of the so-called Web3 that use the Ethereum blockchain for the management of smart contracts. How he rebuilt The Verge, an expert in a Twitter thread suggested that the victims may have signed a partial agreement that later allowed the attacker to transfer the NFTs without any transaction taking place. A reconstruction that Become a Finzer, the 32-year-old co-founder and CEO of OpenSea, called it “consistent with our current internal understanding” of what happened. Basically, the victims would have been hooked by bogus OpenSea communications who convinced them to move their nft to someone else’s wallet. Goodbye.
Yes, because if it is true that according to Finzer nothing happened on the platform (no vulnerability in the “minting” phases, ie creation of the NFT, purchase, sale or other steps) the only explanation is precisely that a piece of the operation has passed from the expensive (not so much), old phishing: “We are quite convinced that it is a phishing attack – explained Finzer always on Twitter – we do not know where it happened but speaking with the 32 users concerned we were able to exclude a series of causes “. Which? Those that may have been linked to its marketplace.
Tutorial
How to create an NFT and how to sell it online
by Emanuele Capone
A “trawling” completely external to OpenSeafrom whose systems no fraudulent communication would have originated that could have induced the victims to authorize a passage of the NFT without the necessary payment. A user has precisely verified how the transactions are currently perfectly in order, the result of a step typically linked to a phishing-based deception. In the first part of the attack, the victims signed a partial contract with a general authorization and large portions of code left blank, which were then completed at will by transferring the NFT in question to the attackers’ availability but without payment. As if the targets had signed a blank check and then the scammers had completed the amount of their choice, going to the bank for collection.
Evaluated 13 billion dollars in a recent funding round, OpenSea has become one of the stars of the Nft boom: it is in fact an excellent intermediary with the blockchain, within the reach of those who have never had particular experiences with those systems. Lately, however, apart from old messes related to previously finalized contracts or to the employee who did insider trading, is facing quite a few problems. One above all is made up of counterfeiters of Nft, people who take other people’s works and make tokens to be monetized, in a singular intertwining of copyright, technology and decentralized finance that leaves with a fistful of flies those who actually signed or created certain works or works. The platform has recently invited all users to migrate their assets to a new type of smart contract.