The attack appears to have taken advantage of a flaw in the Wyvern Protocol, the open-source standard that underpins the majority of NFT smart contracts, including those created on OpenSea. The attack was reported in two sections, according to one explanation: Targets first signed a partial contract that included a broad authorization and big sections that were left blank. After obtaining the signature, the attackers finalized the transaction by making a call to their own contract, which effectively transferred ownership of the NFTs without payment. In essence, the victims of the attack signed a blank check, and the attackers then filled in the rest of the check to steal their assets.
