Loans could be an essential factor for miners to keep their holdings. At least 815 thousand bitcoins are in miners’ hands.
Last weekend, many OpenSea users got threatened by a massive theft of NFTs on the network. The unidentified attacker gained access to thousands of emails and sent them a malicious link posing as the marketplace to make them sign a smart contract and send their digital currencies to him.
The thief managed to sell some of the stolen items and thus managed to get hold of at least 1.7 million dollars. Although 32 people made contact with the fake smart contract, only 17 got to suffer the loss of their items so far.
Devin Finzer, one of the co-founders of the marketplace, explained that the crime had nothing to do with his site but resulted from phishing activity. This cyber-attack consists of sending a malicious link that deceives the user and convinces him of placing their passwords on fake platforms or giving permission to scammers. The latter took effect in this case.
Beyond the situation that took effect in those first hours, some more details about the episode got unveiled. To make crystal clear the urge to solve this situation, Finzer himself posted a Twitter thread that came initially from Nadav Hollander, CTO of OpenSea.
Further Details about the Theft at OpenSea
Hollander, head of technology for the NFT marketplace, highlighted that all malicious orders got signed by the affected users. This order is proof that they granted permission to access their collections at some place and time.
A user called @nesotual also confirmed the situation; Devin Finzer shared his analysis because it is a parallel opinion with OpenSea’s. According to Neso’s thoughts, anyone who says they have not fallen for a phishing attack gets mistaken as all transactions have valid signatures from the victims.
However, Hollander detailed that the orders did not arrive at OpenSea after signing. Likewise, none got executed through the new platform contract, Wyvern 2.3, officially launched on Friday, February 18. Consequently, says Hollander, the orders got signed before the migration to the new agreement, and it is unlikely that the fact gets somehow related to that migration flow.
According to the expert’s view, the attack pointed at a select group of users and was not systemic. The fact that there were 32 affected by the fraudulent maneuver was lamentable. This figure got later reduced to 17 victims, according to OpenSea on its Twitter account.
Off-chain Signatures
The marketplace recently implemented EIP-712, an improvement to Ethereum that aims to display signatures in a more readable way before the user validates them to make it easier for them to manage off-chain signatures.
According to the experts, this method makes it possible to prevent attacks like the one last weekend since it would be easier to track any variability.
The OpenSea CTO assured that the signing of off-chain messages needs the same educational strategies as the urgency of not sharing the seed phrases in a wallet. The community should comply with standard procedures in this regard, like using EIP-712 or EIP-4361, which allows Ethereum-based logins for off-chain platforms.
Meanwhile, although the OpenSea CTO stated that the attack did not come from OpenSea itself, the company is working on every possible way to help harmed users.
By: Jenson Nuñez
