BanklessTimes
Home News Smart contracts exploited on OpenSea

Smart contracts exploited on OpenSea

Daniela Kirova
Daniela Kirova
Daniela Kirova
Author:
Daniela Kirova
Writer
Daniela is a writer at Bankless Times, covering the latest news on the cryptocurrency market and blockchain industry. She has over 15 years of experience as a writer, having ghostwritten for several online publications in the financial sector.
January 31st, 2023
  • The flaw may have cost traders many quite valuable tokens
  • PeckShield stated that the exploit in question was most likely phishing

Top NFT marketplace OpenSea is investigating “rumors of an exploit” regarding smart contracts connected to its platform after a series of tweets from concerned NFT traders that went viral, CoinDesk reported. The flaw may have cost traders many quite valuable tokens.

OpenSea tweeted:

We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of opensea.io.

On Saturday evening US hours, OpenSea CEO Devin Finzer posted a follow-up tweet:

32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen. OpenSea is not aware of any recent phishing emails that have been sent to users and a fraudulent website may be to blame.

Most likely phishing

Traders on Twitter shared what they first believed were official OpenSea emails about the migration process from contract A to contract B.

Blockchain security firm PeckShield, which audits smart contracts, stated that the exploit in question was “most likely phishing”, where a seemingly normal link hides a malicious contract. PeckShield cited the same mass email series about the migration process as a potential source of the link.

Attacker holds $1.7M in ether

The purported attacker’s address holds about $1.7 million worth of ether and two Cool Cats NFTs, three Bored Ape Yacht Club NFTs, one Doodle NFT and one Azuki NFT. Etherscan, an explorer website, has designated the address with a “phish/hack” warning badge.

OpenSea cancels inactive listings

OpenSea had plans to amend its smart contract (basically the code governing its trading platform) by issuing a brand-new contract on Friday. Their idea was that the upgraded contract would make sure old, inactive listings on OpenSea would be eliminated.

Last month, the company sentusers a short emailto address the issue with the subject “Clarification on Canceling Inactive Listings.” The email reminded users to cancel old listings.

The issue

Canceling an old listing is still an on-chain transaction, which means it’s added to the very end of the blockchain. Cybercriminals who watch for new transactions might notice someone canceling an old listing and start digging into their other old listings, looking for a good one.

Some hackers will pay an extra fee tofront-run a cancellation, carrying out a sale before the user can complete the transaction. Frontrunningis a common problem on the Ethereum Mainnet and other proof-of-work blockchains.

Contributors

Daniela Kirova
Writer
Daniela is a writer at Bankless Times, covering the latest news on the cryptocurrency market and blockchain industry. She has over 15 years of experience as a writer, having ghostwritten for several online publications in the financial sector.