Hackers stole highly valued Non-Fungible Tokens (NFTs) from OpenSea. It appears the hackers exploited an upgrade from OpenSea to a new smart contract by commencing a phishing attack.
OpenSea issued an upgrade a couple of days ago, requesting users to migrate their listings. "In 1 week, at 2pm ET on Friday, February 25, any listings you haven’t migrated will expire. If you miss the migration window, you’ll be able to re-list any expired listings without incurring additional fees (including gas fees)."
Due to the short notice, it allowed hackers to exploit the upgrade notification that was sent via email to all users in the NFT marketplace.
source: twitter
OpenSea Old Listings Fix
The upgrade is meant to solve old issues that are caused by old listings. If a trader lists an NFT for sale in OpenSea, gas fees are required for the listing.
Let's take a scenario where the trader lists an NFT for 1 ETH where gas fees were paid. When the trader wishes to relist the NFT for 2 ETH, OpenSea allows it to be relisted without an additional charge of gas fees.
However, the old listing (1 ETH) is never really cancelled. In order to cancel the old listing gas fees are required per listing. As OpenSea is allowing relisting without paying gas fees, if NFTs that are currently worth over $50,000 were ever listed for sale at $20 a year ago, the $20 listing is still present.
Another concern is when the listing is cancelled it can be exploited in the blockchain by frontrunning. When an old listing is manually cancelled by the NFT owner, it can be exploited in the block via bots.
When the cancellation is in the block and yet to be confirmed, it can be exploited by executing the sale in the same block. For example, if an NFT that is currently worth $50,000 was ever listed for $10 and the owner cancels the listing, before it is confirmed in the block hackers may execute the sale of $10 in the same block before it is confirmed ('frontrunning').
OpenSea's upgrade is meant to tackle these issues by ensuring old listings will expire. However, due to the short notice hackers used a phishing attack to maliciously obtain the NFTs.
The OpenSea Hack
The email announced the migration to the new smart contract. By clicking on 'Get Started' the user granted authorization to the hackers that drained the account of the NFTs.
source: etherscan
Dozens of NFT holders were victimized by the phishing attack. The mutant ape yacht club NFTs, bored apes (BAYC) and Azuki are just some of the NFTs that are now owned by the hackers.
BoredApeYachClub #1277, which was last sold for 100 ETH (approximately $290,000), is among the NFTs that were stolen in the phishing attack.
OpenSea issued the following statement, "We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website."
Despite the statement and the circulation of the news, NFTs are still being transferred to the malicious address at the time of this writing. The value of the stolen NFTs is estimated to be over $1.6 million.
OpenSea $1 Million Lawsuit
One of the phishing attack victims, Timothy McKimmy filed a lawsuit in Texas against OpenSea for losing his bored ape NFT. It has been reported that the BAYC NFT is Bored Ape #3475, which was among the rare NFTs of the series.
Following the phishing attack the hacker resold McKimmy's NFT for 99 ETH. McKimmy claims that OpenSea were aware of the bug but left it unaddressed, refusing to take down the platform to resolve the security issues.