Some OpenSea Users Exploited
On Saturday, news quickly spread about a potential exploit involving certain listings on OpenSea. As of Saturday afternoon, evidence suggests some users were phished, and an attacker was able to transfer NFTs and ETH from certain wallets.
At the time of this writing, there is still a great deal of uncertainty surrounding what exactly happened. On Saturday afternoon, some users on Twitter reported NFTs missing from their wallets. Word quickly spread as more and more owners of high-value collections reported items missing or their wallets drained entirely.
Twitter user Neso posted a detailed (if technical) breakdown of what they believed occurred in this Twitter thread. Neso explains that evidence at this point suggests certain users were phished, rather than there being an exploit with an OpenSea contract.
For their part, OpenSea responded quickly and indicated they were investigating reports of an exploit. The team indicated their immediate belief that the attack originated from outside their own website, lending credence to the idea that the exploit originated via a phishing attack.
Some users, however, remain unconvinced, insisting that they didn’t click any links in any emails or otherwise do anything that would explain their being victims of a phishing attack. Phishing victims, however, often insist on denying their having clicked any such links, so there isn’t really a clear answer either way at the time of this article’s writing. The working assumption seems to be that a certain number of victims fell prey to this phishing attack, which resulted in their approving the malicious Wyvern transactions and seeing their NFTs and ETH drained.
But the story actually gets more bizarre. Some users have reported the hacker sending a certain number of NFTs back. Other observers noted that the hacker or hackers sent out large amounts of ETH to certain users. A smart contract being exploited is one thing, but given the uncertainty around what actually happened, as well as the hacker’s interesting choice of actions after successfully pulling off the exploit, this is a pretty interesting situation.
The best working advice at present is that anyone concerned they might be affected should revoke any currently granted permissions using a site like revoke.cash or debank. We will stay tuned to the situation to monitor any new developments as they occur to hopefully obtain clear evidence for what actually happened here.
Update
Twitter user @isoltile posted an explainer thread on the exploit, and his evidence supports it being a phishing attack.
