The latest vulnerability discovered by OpenSea raises a wider and more serious question about the global NFT ecosystem’s existing security infrastructure.
Despite the persistent volatility in the digital asset sector, one niche has clearly thrived: the market for nonfungible tokens (NFTs). This is evidenced by the fact that a rising number of major players, like Coca-Cola, Adidas, the New York Stock Exchange (NYSE), and McDonald’s, have recently entered the booming Metaverse ecosystem.
Additionally, given that worldwide NFT sales peaked at $40 billion in 2021, many analysts anticipate this trend to continue. For example, American investment bank Jefferies recently increased its forecast for the NFT sector’s market capitalization to more than $35 billion in 2022 and more than $80 billion in 2025 — a projection repeated by JP Morgan.
However, as with any market growing at such a breakneck pace, security concerns are unavoidable. In this context, OpenSea, a well-known nonfungible token (NFT) marketplace, was recently the victim of a phishing attempt that occurred just hours after the platform announced a week-long scheduled upgrade that would delist all dormant NFTs.
Examining the subject
On February 18, OpenSea announced that it would begin an upgrade of its smart contracts, forcing all users to migrate their listed NFTs from the Ethereum blockchain to a new smart contract. As a result of the upgrade, users who did not facilitate the aforementioned migration risked losing their old and inactive listings.
Nonetheless, due to OpenSea’s short migration deadline, hackers were presented with a lucrative window of opportunity. Within hours following the announcement, it was revealed that malicious third parties had launched a sophisticated phishing effort, stealing NFTs from a large number of users that were stored on the platform prior to being moved to the new smart contract.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
Neeraj Murarka, chief technical officer and cofounder of Bluezelle, a blockchain for the GameFi ecosystem, explained that at the time of the incident, OpenSea was utilizing a protocol called Wyvern, a standard technology module that is used by the majority of NFT web applications because it enables the management, storage, and transfer of these tokens within users’ wallets.
Due to the fact that the smart contract with Wyvern enabled users to interact with the NFTs kept in their “wallets,” the hacker was able to send emails to Opensea clients posing as a platform representative, asking them to sign “blind” transactions. Murarka continued:
“Metaphorically, this was like signing a blank check. Normally, this is okay if the payee is the intended recipient. Keep in mind that an email can be sent by anyone, but be made to appear to be sent by someone else. In this case, the payee appears to be a single hacker who was able to use these signed transactions to transfer out and effectively steal the NFTs from these users.”
Additionally, in an unusual turn of events, the hacker appears to have returned some of the stolen NFTs to their rightful owners following the incident, with additional efforts being made to recover other lost assets. Alexander Klus, founder of Creaton, a Web3 content creation platform, told that the phishing email campaign employed a rogue signing transaction to authorize the withdrawal of all holdings at any time. “We require improved signature standards (EIP-712) so that individuals can see what they are doing when they approve a transaction.”
Finally, Lior Yaffe, cofounder and director of Jelurida, a blockchain software startup, noted that the incident was precipitated by the misunderstanding surrounding OpenSea’s poorly conceived smart contract upgrade and the platform’s transaction approval architecture.
NFT markets must improve their security posture.
Murarka believes that online program that make use of the Wyvern smart contract system need be enhanced with usability enhancements to prevent consumers from falling for such phishing assaults repeatedly, adding:
“Very clear warnings should be made to educate the user about phishing attacks and driving home the fact that emails will never be sent, soliciting the user to take any steps. Web apps like OpenSea should adopt a strict protocol to never communicate with users via email apart from maybe just registration data.”
Having said that, he acknowledges that even if OpenSea implements the most secure security/privacy protocols and standards, it is still up to its users to educate themselves about these threats. “Unfortunately, the online application is frequently held accountable, even when the user was phished. Who is accountable? “The answer is ambiguous,” he observed.
Jessie Chan, chief of staff at ParallelChain Lab, a decentralized blockchain ecosystem, expressed a similar sentiment, telling that regardless of how the attack was carried out, the issue is not entirely dependent on OpenSea’s existing security protocols, but also on user awareness of phishing. The question remains whether the marketplace operator should have been able to adequately warn its consumers about how to handle such instances.
Another way to limit the risk of phishing attacks is to have all interactions between users and their online applications occur only through the usage of a specialized mobile/desktop interface. “If all interactions were facilitated through the use of a desktop application, such attacks might be fully avoided.”
Yaffe emphasised that the primary issue — which is at the center of this entire debate — is the fundamental architecture of the majority of NFT marketplaces, which allows users to sign a carte blanche agreement for a third-party contract to utilize their private wallet without setting a spending limit:
“Since the OpenSea team did not really figure out the source of the phishing operation, it might as well happen again next time they attempt to make a change to their architecture.”
What is possible?
Murarka stated that the easiest way to prevent these assaults is for individuals to begin using hardware wallets. This is because the majority of software wallets and other custodial storage solutions are fundamentally insecure in their design and operation. He continued, “Much like Bitcoin, Ethereum, and other cryptocurrencies, NFTs should be shifted to hardware wallet accounts rather than remaining on a centralized site,” adding:
“Users need to be super aware of the risks of responding to and acting upon emails they receive. Emails can be faked very easily, and users need to be proactive about the safety of their crypto assets.”
Additionally, NFT owners should remember to only visit web apps that use high-quality security protocols, ensuring that the marketplaces they access use the HTTPS mechanism (at the very least), and that they can clearly see a lock symbol in the top left corner of their browser window — pointing to the correct company — while visiting any webpage.
Yaffe argues that users should exercise caution when authorizing contracts and maintain an accurate record of the contracts they have previously approved. “Users should cancel approvals that are unneeded or harmful. Users should, whenever possible, define a fair cost limit for each contract approval,” he concludes.
Finally, Chan believes that consumers should maintain their wallets on a specialized platform that is not used for email or web browsing, noting that such channels are vulnerable to a variety of third-party assaults. Additionally, he stated:
“This is inconvenient, but when dealing with assets of great value and where there is no recourse in the event of theft, extreme care is justified. And, as with all financial transactions, they should be very careful in deciding who to deal with, since the counterparties can also steal your assets and disappear.”
Thus, as we move toward a future dominated by NFTs and other similar unique digital services, it will be interesting to see how platforms operating in this space continue to expand and mature, particularly as an increasing amount of capital enters the NFT market.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.