On the morning of February 20, the issue of “suspected bugs in OpenSea’s new migration contract led to the theft of a large number of high-value NFTs” aroused heated discussions.
According to multiple Twitter KOLs, the incident was caused by a suspected bug in the new migration contract (address: 0xa2c0946aD444DCCf990394C5cBe019a858A945bD) launched by OpenSea yesterday. BAYC, BAKC, MAYC, Azuki, Cool Cats, Doodles, Mfers and many other high value series.
Twitter KOL “Jon_HQ” tweeted that the attacker spent a total of $750 in gas fees, did not pay for ETH purchases, but got 4 Azukis, 2 Coolmans, 2 Doodles, 2 KaijuKings, 1 MAYC, 1 Cool Cat, 1 BAYC…
For a grand total of $750 in gas, the attacker paid no ETH to purchase, and scooped 4 Azukis, 2 Coolmans, 2 Doodles, 2 KaijuKings, 1 MAYC, 1 Cool Cat, 1 BAYC… for $750.
— Jon_HQ (@Jon_HQ) February 20, 2022
Seeing nothing about x2y2. Looks like a straight interaction with OS' new contract https://t.co/7eu9p0rpZK pic.twitter.com/D4u0MV6CB1
OpenSea users have lost more than $20 billion
Mr. Whale also said on Twitter that Opensea “exploit” can allow users to sell and steal any NFT from any user, and the loss has exceeded 200 million US dollars.
The new migration contract is a new upgrade released by OpenSea. Yesterday, OpenSea announced that its smart contract upgrade has been completed, and the new smart contract has been launched. Users need to sign a pending order migration request to migrate smart contracts. Signing this request does not require gas fees, and there is no need to re-apply for NFT or initialize wallets. During the migration, the quotes on the old smart contracts will be invalid. British auctions will be temporarily disabled for a few hours after the contract upgrade is completed, and new timed auctions can be created again after the new contract takes effect. The Dutch auction of existing smart contracts will expire at the end of the migration period at 3:00 GMT on February 26th.
Subsequently, gmDAO founder Cyphr.ETH tweeted that the hackers used standard phishing emails to copy “genuine OpenSea” emails that occurred a few days earlier, and then asked some users to sign permissions using WyvernExchange. There is no vulnerability in OpenSea, it’s just that people don’t have permission to read signatures as usual.
Calling it now.
— ℭ𝔶𝔭𝔥𝔯.Ξ𝔱𝔥 (@CyphrETH) February 20, 2022
The hacker used a standard phishing email copying the genuine #Opensea one sent out a few days ago, then got a number of people to sign permissions with WyvernExchange.
No exploit, just people not reading sign permissions as normal. pic.twitter.com/bQj5JCzp6B
Security firm PeckShield also said that, although unconfirmed, the Opensea hack was likely phishing. Users follow the instructions in the phishing email to authorize “migration,” which unfortunately allows hackers to steal valuable NFTs.
Foobar, a developer of the Ethereum smart contract programming language Solidity, analyzed that the hacker used a helper contract deployed 30 days ago to call an operating system contract deployed 4 years ago, using valid atomicMatch() data. This could be a typical phishing attack from a few weeks ago. Instead of a smart contract vulnerability, the code is safe.
🚨 NFT EXPLOIT 🚨
— foobar (@0xfoobar) February 20, 2022
The hacker is using a helper contract deployed 30 days ago, to call an OS contract deployed 4 years ago, with valid atomicMatch() data.
Likely a signature phishing attack from several weeks back, the attacker is exploiting now before all listings expire. pic.twitter.com/pKEjoIR534
OpenSea officials have launched an investigation into the matter
So far, OpenSea officials have launched an investigation into the matter, and responded with a tweet saying:
“We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of http://opensea.io.”
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
According to a number of Twitter KOLs and official statements, the security incident was probably caused by an external phishing attack. But there are also some different voices.
OracleHawk CEO Jacob King tweeted a screenshot of the code and thought: “OpenSea is now lying and claiming that the vulnerability is really just a phishing email people get.”
#OpenSea is now lying and claiming the exploit was actually just phishing emails people were receiving.
— Jacob King (@JacobOracle) February 20, 2022
This is 100% not true, but rather a flaw in their code which led to one of the largest #NFT exploits in history. pic.twitter.com/qGRq0MaFT1
What is the final cause of this vulnerability incident, we still need to wait for the results of OpenSea’s investigation.