$3 Million Hack of NFTs—‘And Nothing of Value was Lost’
OpenSea, the NFT marketplace, got hacked last week. Or perhaps it didn’t—the firm denies it, but also brags about its updated code that would have prevented the not-a-hack. You decide.
In any case, 32 users got their “non-fungible” tokens comprehensively funged. (This follows OpenSea’s December 2020 plagiarism scandal, its September 2021 insider trading scandal, the “loss” of $1.8M due to a bug last month, closely followed by another plagiarism scandal.)
But who ascribes any value to these worthless “tokens”? In today’s SB Blogwatch, Charles Ponzi would be proud.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ストップモーション。
Fake Money Funds Fake Property
Who will break the news? Will Gottsegen will—“OpenSea Investigating ‘Exploit Rumors’ as Users Complain of Missing NFTs”:
“$1.7 million”
In the wake of a series of viral tweets from panicked NFT traders, leading marketplace OpenSea says it’s investigating “rumors of an exploit” [of] its platform – a vulnerability that may have cost traders valuable tokens. … OpenSea had planned to revise … the code governing its trading platform … by releasing a brand-new contract on Friday.
…
The apparent attacker’s address … holds about $1.7 million worth of ETH, as well as three tokens from the Bored Ape Yacht Club, two Cool Cats, one Doodle and one Azuki.
Speak English, would ya? Russell Brandom and Emma Roth translate—“NFTs stolen in apparent phishing attack”:
“Exploited a flexibility in the Wyvern Protocol”
The bulk of the attacks took place … on OpenSea … between 5PM and 8PM ET, targeting 32 users in total. … In essence, targets of the attack had signed a blank check.
…
Valued at $13 billion in a recent funding round, OpenSea has become one of the most valuable companies of the NFT boom. … That success has come with significant security issues, as the company has struggled with attacks. … The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts.
That “$1.7M”? Molly White recalculated it—“NFTs stolen and flipped for a total of $3 million”:
“Around $2.9 million”
Panic erupted on February 19 as a few users saw their wallets emptied of valuable NFTs without knowing why. … An hour and a half after users began to report missing NFTs, OpenSea finally acknowledged the issue.
…
It was later determined that an attacker had successfully phished 32 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them. … The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million.
How much? Actually not much, thinks @EdmondSherbet:
The word “worth” is doing a lot of heavy lifting.
What does OpenSea have to say for itself? Here’s CTO Nadav Hollander with this apologia:
“EIP-712 typed data”
All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing. … 32 users had NFTs stolen over a relatively short time period.
…
This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue. [It] suggests a phishing operation that was executed ahead of the deprecation of the 2.2 contract. … Part of why we elected to implement EIP-712 on the new contract is that [its] typed data feature makes it much more difficult for bad actors to trick someone into signing an order without realizing it.
…
We as a community must move to standardizing off-chain signatures using EIP-712 typed data or other agreed-upon standards like EIP-4361. … A change of any kind is understandably scary, but this change actually makes signing much safer as you can better see what you’re signing.
So it’s not OpenSea’s fault? ecoeconomy disagrees:
The code is written using a dynamically typed language with no security guarantees so stuff like this is inevitable. … Static typing [could] allow the creation of provably secure contracts.
Where’s the sympathy for the victims? squiggleslash hasn’t got much:
“I support criminals stealing your money”
NFTs? … I lack sympathy over this given it’s all about fake goods and a sizable number of ideological nutcases falling for a pyramid scheme so moronic that they often end up buying from themselves … just to prop it up, knowing full well the environmental and economic destruction they’re engaged in and not giving a ****.
If you’re sociopathic enough to be involved in NFTs, then yes, I support criminals stealing your money until the law catches up with this racket and starts fining and imprisoning everyone involved.
Don’t hold back. Tell us what you really think, fontenot-jon:
NFTs are worthless digital junk clogging up data structures, and convincing greedy **** clowns to send their mercenary mutts to collect bounties on yet another terrible … energy dependant … societal harming technological implementation.
But people lost money! Powercntrl disagrees, Nelson-haha-like:
Their money was lost the moment they traded it for a blockchain entry which says they’re now the proud owner of a URL to a jpg of a dumb ape. It’s like buying the Brooklyn Bridge—the moment you made a mistake was when you gave your money to the con man, not when a mugger stole your fake “deed.”
Are NFTs overdue for some regulation? Offering a real-world analog, here’s Zerverus:
“Systemic issues are addressed by regulatory systems”
Singapore has a wave of SMS banking scams 3 months ago. The regulator has already intervened to force changes in banks (no more links in messages, shared liability, protective measures, authenticated SMS) and Telcos (SMS ID registry).
So yes, in the financial world, in properly run countries, systemic issues are addressed by regulatory systems. Because losing an email is one thing, losing your life savings is another. Crypto either will end up fully regulated or die.
Meanwhile, 93 Escort Wagon mints an old hashtag:
#AndNothingOfValueWasLost … If any “news” item deserves that tag, it’s this one.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Kelly Sikkema (via Unsplash; leveled, cropped, macroed)
