The "OpenSea vulnerability incident" caused a large number of NFTs to be stolen, and many analyses suspected it was a phishing attack

On the morning of February 20, the issue of "OpenSea's new migration contract suspected of having a bug that resulted in a large number of high-value NFTs being stolen" caused heated discussion.

According to multiple Twitter KOLs, the incident was caused by a suspected BUG in the new migration contract (address: 0xa2c0946aD444DCCf990394C5cBe019a858A945bD) launched by OpenSea yesterday. The attacker (address: 0x3e0defb880cd8e163bad68abe66437f99a7a8a74) used the BUG to steal a large number of NFTs and sell them for arbitrage. The stolen NFTs include BAYC, BAKC, MAYC, Azuki, Cool Cats, Doodles, Mfers and other high-value series.

The new migration contract is a new upgrade released by OpenSea. Yesterday, OpenSea announced that its smart contract upgrade has been completed and the new smart contract has been launched. Users need to sign a pending order migration request to migrate the smart contract. Signing this request does not require gas fees, and there is no need to re-approval NFT or initialize the wallet. During the migration period, the quotes on the old smart contract will be invalid. The English auction will be temporarily disabled for a few hours after the contract upgrade is completed. After the new contract takes effect, a new timed auction can be created again. The Dutch auction of the existing smart contract will expire at 3:00 am Beijing time on February 26 at the end of the migration period.

Twitter KOL "Jon_HQ" pointed out in a tweet that the attacker spent a total of $750 in gas fees, did not pay for ETH purchases, but obtained 4 Azukis, 2 Coolmans, 2 Doodles, 2 KaijuKings, 1 MAYC, 1 Cool Cat, 1 BAYC...

Mr. Whale also stated on Twitter that the Opensea "vulnerability exploit" allows users to sell or steal any NFT from any user, and the losses have exceeded US$200 million.

Then, just as everyone was discussing it, the development of the "OpenSea incident" took a turn, and the attack did not seem to be caused by a BUG.

Cyphr.ETH, the founder of gmDAO, tweeted that the hacker used a standard phishing email to copy the "genuine OpenSea" email that occurred a few days ago, and then asked some users to sign permissions using WyvernExchange. There was no vulnerability in OpenSea, it was just that people did not read the signature permissions as usual.

Security company PeckShield also said that although it has not been confirmed, the Opensea hacker is likely a phishing attack. Users followed the instructions in the phishing email to authorize the "migration", and this authorization unfortunately allowed hackers to steal valuable NFTs...

Foobar, a developer of Ethereum's smart contract programming language Solidity, analyzed that the hacker used a helper contract deployed 30 days ago to call an operating system contract deployed 4 years ago, using valid atomicMatch() data. This may be a typical phishing attack from a few weeks ago. It is not a smart contract vulnerability, and the code is safe.

As of now, OpenSea has launched an investigation into the matter and responded on Twitter: "We are actively investigating rumors related to OpenSea smart contracts. This looks like a phishing attack from outside the OpenSea website. Do not click on any links other than http://opensea.io."

According to several Twitter KOLs and official statements, the cause of this vulnerability incident should basically be an external phishing attack. However, there are also some different opinions.

For example, Jacob King, CEO of OracleHawk, tweeted a screenshot of the code and said: "OpenSea is now lying and claiming that the vulnerability was actually just a phishing email that people received. This is 100% not true, but a flaw in their code led to one of the largest NFT exploits in history."

We still need to wait for the results of OpenSea's investigation to find out the final cause of this vulnerability.