Panic among users of OpenSea : on Saturday there was in fact a theft of hundreds of NFTs , which according to Molly White of the blog Web3 is going just great correspond to a value of over 1.7 million dollars . A spreadsheet compiled by the PeckShield blockchain security service counted 254 tokens stolen in the attack, including tokens from Decentraland and Bored Ape Yacht Club.
The attack appears to have exploited a flexibility in the Wyvern protocol, the open source standard underlying most NFT contracts, including those built on OpenSea . One possible explanation (also spun by company CEO Devin Finzer on Twitter ) described the attack in two parts: before le victims signed a partial contract , with general authorization and large portions left blank. Then, having the signature available, the attackers completed the contract , in order to transfer the ownership of the NFTs without obviously paying any payment. Essentially, the attackers had signed a blank check and, once signed, the attackers filled out the rest of the check to appropriate it.
With a value of $ 13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom, and leverages the simplicity of use , with an intuitive and clear interface to list, browse and bid on tokens without interacting directly with the blockchain. Success apparently brought security issues, as the company struggled with attacks that exploited old contracts or poisoned tokens to steal users' valuable holdings.
However, many details of the attack remain unclear , most notably the method used by attackers to persuade targets to sign the blank contract . According to Devin Finzer, the attacks did not originate from the OpenSea website , its various quotation systems or any company emails and the speed of action – hundreds of transactions within hours – suggests some common carrier, but no link has been discovered so far.
