OpenSea incident consolidation, 18.3 million was transferred to this address

Recently, OpenSea, the world's largest NFT trading platform, was exposed to have user assets stolen.

The cause of the incident was that on February 19, OpenSea announced the upgrade of the smart contract (0xa2c0946aD444DCCf990394C5cBe019a858A945bD) in order to solve the vulnerabilities that had been frequently reported on the platform, and called on everyone to "migrate" the NFT orders on Ethereum to the new Wyvern smart contract to ensure that the original inactive orders on the chain can expire safely.

Image source: OpenSea

But who would have thought that just one day after the announcement, some OpenSea users said in the community that their NFT assets had been stolen, and believed that there was a loophole in OpenSea's migration contract that allowed non-holder users to steal other users' NFTs.

According to the latest official news, the theft affected 17 users in the NFT market and more than 250 NFTs were stolen.

However, regarding the migration contract vulnerability, The Block analyst Frank Chaparro expressed a different view. He claimed that there was no vulnerability in the OpenSea upgrade contract this time, and the whole incident was suspected to be an attack launched by hackers using phishing emails.

He believes that the hacker actually forged a phishing email in the email format released by OpenSea a few days ago, asking the deceived users to sign a contract license through WyvernExchange. There is no overall loophole, but people habitually ignore the content of the signed contract.

Image source: Twitter

After the theft, OpenSea co-founder and CEO Devin Finzer also tweeted that this was just a phishing incident. Although the source of the incident has not been traced, the following channels have been tested and found to have no security risks (no internal problems):

1. OpenSea website

2. OpenSea’s email

3. Mint, buy, sell, list items on OpenSea

4. OpenSea’s List Migration Tool

5.OpenSea website banner

However, although the holder of an NFT digital wallet can hide his identity, as long as the transaction actually occurs on the blockchain, it is "untouchable."

According to the transaction tracking of the OKLink blockchain browser, the final profit address of the OpenSea incident (0x3e0defb880cd8e163bad68abe66437f99a7a8a74) transferred 1,100 ETH to another address (0x722122df12d4e14e13ac3b6895a86e84145b6967) in 11 times on February 20, with a total transfer amount of more than 2.9 million US dollars (about 18.3 million RMB).

Image source: www.oklink.com

Currently, OpenSea is still investigating the source of the phishing attack.

However, as a unicorn in the current NFT market, this security incident not only put OpenSea on the cusp of the storm, but also gave its competitor Mintable an opportunity to take advantage of the fact that the assets of 17 victims have not yet been recovered/compensated.

On February 23, the NFT market Mintable announced that it would repurchase Azuki #1178, #4176 and #1180 that were previously stolen on OpenSea at a price of 13.35 ETH each , and after the repurchase, they would be returned to their holders before the theft.

Its founder and CEO Zach Burks said that a bug on OpenSea led to the theft, and if OpenSea cannot correct it, someone will step forward.

Image source: Twitter

The OpenSea incident, while reminding us of the potential risks in the NFT market, also teaches ordinary people how to avoid common "security risks" and how to minimize their losses through new technologies in the industry that are constantly spiraling forward (on-chain address tracing and positioning).