Hundreds of NFTs were stolen from OpenSea users on Saturday, prompting a late-night panic among the site’s large user base. During the hack, 254 tokens were stolen, according to a spreadsheet published by the blockchain security service PeckShield, including tokens from Decentraland and Bored Ape Yacht Club.
The majority of the attacks took place between 5 and 8 p.m. ET, and they targeted a total of 32 users. The stolen tokens are worth more than $1.7 million according to credible reports.
Image Source – Twitter
The attack appears to have taken advantage of a flaw in the Wyvern Protocol, the open-source standard that underpins the majority of NFT smart contracts, including those created on OpenSea. The attack was reported in two sections, according to one explanation: Targets first signed a partial contract that included a broad authorization and big sections that were left blank. After obtaining the signature, the attackers finalized the transaction by making a call to their own contract, which effectively transferred ownership of the NFTs without payment. In essence, the victims of the attack signed a blank check, and the attackers then filled in the rest of the check to steal their assets.
When the attack occurred, OpenSea was in the midst of modernizing its contract system, but the company has denied that the new contracts were the source of the attack. Because of the tiny number of targets, a vulnerability like this is improbable, as any flaw in the broader platform would almost certainly be exploited on a much larger scale.
