Despite the constant fluctuations that plague the digital asset sector, one area that undoubtedly continues to thrive is the non-fungible token (NFT) market. This is evidenced by the fact that a growing number of major movers and shakers, including companies such as Coca-Cola, Adidas, the New York Stock Exchange (NYSE) and McDonalds, among many others, are entering the growing Metaverse ecosystem within a few months. . . past.
Given the fact that global NFT sales topped $40 billion by 2021 alone, many analysts expect this trend to continue into the future. For example, American investment bank Jefferies recently raised its NFT sector market value forecast to over $35 billion by 2022 and to over $80 billion by 2025, a forecast also echoed by JP Morgan.
But as with any market that grows at such an exponential rate, security-related issues are also to be expected. In this regard, OpenSea’s non-fungible token (NFT) marketplace was recently the victim of a phishing attack that came just hours after the platform announced a scheduled week-long update to remove all dormant NFTs.
Dive into it
On February 18, OpenSea revealed that they will begin a smart contract update that requires all users to transfer their listed NFTs from the Ethereum blockchain to the new smart contract. Due to the update, users who cannot complete the above risk losing their old and inactive lists.
However, due to the short migration time offered by OpenSea, the hackers have a great opportunity. Hours after the announcement, it was revealed that the attackers had carried out a sophisticated phishing campaign, stealing NFTs from several users stored on the platform before switching to a new smart contract.
Niraj Mwarka, CTO and co-founder of Bluezelle, a blockchain for the GameFi ecosystem, gave a technical overview of the case, telling Cointelegraph that at the time of the crash, OpenSea was using a protocol called Wyvern, which is standard technology. the device that most NFTs use. online applications benefit because they allow these tokens to be managed, stored and transferred to users’ wallets.
Since the smart contract with Wyvern allowed users to work with NFTs stored in their “wallets”, the hacker could send emails to Opensea customers issued as a platform representative, prompting them to sign “blind” transactions. Marrake added:
“Metaphorically, it was like signing a blank check. This is usually fine if the payee is the intended payee. Keep in mind that anyone can send an email, but it looks like it was sent by someone else. the recipient of his team is the only hacker who was able to use these signed transactions to effectively transfer and steal NFT items from these users.”
In an interesting sequence of events following the incident, the hacker appears to have returned some of the stolen NFTs to their rightful owners, while putting more effort into recovering other lost assets. Alexander Kloss, founder of Creaton, a Web3 content platform, told Cointelegraph, giving his take on all of this, that the email phishing campaign used a malicious signature transaction to approve the withdrawal of all inventory at any time. “We need better signing standards (EIP-712) so people can see what they’re doing when they approve a transaction.”
Finally, Lior Yaffe, co-founder and CEO of Jelurida, a blockchain software company, noted that the episode was a direct result of the confusion surrounding OpenSea’s poorly planned smart contract upgrade as well as the platform’s transaction approval architecture.
NFT Markets should step up their security game
According to Morarka, web applications using the Wyvern smart contract system should be improved with usability improvements to prevent users from falling for such fraudulent attacks again and again, adding:
“Very clear warnings should be given to inform the user of phishing attacks and acknowledge the fact that emails will never be sent and encourage the user to take some steps. Web applications such as OpenSea must use a strict protocol to never communicate with users via an email address, except perhaps for login details.
However, I acknowledge that while OpenSea uses the most secure security/privacy protocols and standards, users should still be aware of these risks on their own. “Unfortunately, the web application itself is often blamed, even if it is the user who has been scammed.