Opensea phishing scandal reveals a security need across the NFT landscape
OpenSea’s latest vulnerability poses a larger and more deeper question relating to the global NFT ecosystem’s existing security infrastructure.
Despite the ongoing volatility plaguing the digital asset sector, one niche that has undoubtedly continued to flourish is the nonfungible token (NFT) market. This is made evident by the fact that a growing number of mainstream mover and shakers including the likes of Coca-Cola, Adidas, the New York Stock Exchange (NYSE) and McDonalds, among many others, have made their way into the burgeoning Metaverse ecosystem in recent months.
Also, owing to the fact that over the course of 2021 alone, global NFT sales topped out at $40 billion, many analysts expect this trend to continue into the future. For example, American investment bank Jefferies recently raised its market-cap forecast for the NFT sector to over $35 billion for 2022 and to over $80 billion for 2025 — a projection that was also echoed by JP Morgan.
However, as with any market growing at such an exponential rate, issues related to security have to be expected as well. In this regard, prominent nonfungible token (NFT) marketplace OpenSea recently fell victim to a phishing attack that took place just hours after the platform announced its week-long planned upgrade to delist all inactive NFTs.
Diving into the matter
On Feb 18, OpenSea revealed that it was going to initiate a smart contract upgrade, requiring all of its users to transfer their listed NFTs from the Ethereum blockchain to a new smart contract. Owing to the upgrade, users who failed to facilitate the above said migration stood at a risk of losing their old and inactive listings.
That said, due to the small migration deadline provided by OpenSea, hackers were presented with a potent window of opportunity. Within hours of the announcement, it was revealed that nefarious third party individuals have initiated a sophisticated phishing campaign, stealing NFTs from many users that were stored on the platform before they could be migrated over to the new smart contract.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
Providing a technical breakdown of the matter, Neeraj Murarka, chief technical officer and cofounder of Bluezelle, a blockchain for GameFi ecosystem, told Cointelegraph that at the time of the incident, OpenSea was making use of a protocol called Wyvern, a standard tech module that most NFT web apps make use of since it allows for the management, storage, and transfer of these tokens within users’ wallets.
Because the smart contract with Wyvern allowed users to work with the NFTs stored in their “wallets,” the hacker was able to send out emails to Opensea clients masquerading as a representative for the platform, encouraging them to sign “blind” transactions. Murarka further added:
“Metaphorically, this was like signing a blank check. Normally, this is okay if the payee is the intended recipient. Keep in mind that an email can be sent by anyone, but be made to appear to be sent by someone else. In this case, the payee appears to be a single hacker who was able to use these signed transactions to transfer out and effectively steal the NFTs from these users.”
Also, in an interesting twist of events, following the incident the hacker apparently returned some of the stolen NFTs to their rightful owners, with further efforts being made to return other lost assets. Providing his take on the entire matter, Alexander Klus, founder of Creaton, a Web3 content creation platform, told Cointelegraph that the phishing email campaign used a malicious signing transaction to approve all holdings to be able to be drained at any time. “We need better signing standards (EIP-712) so people can actually see what they are doing when approving a transaction.”
Lastly, Lior Yaffe, cofounder and director of Jelurida, a blockchain software company, pointed out that the episode was a direct result of the confusion surrounding OpenSea’s poorly planned smart contract upgrade, as well as the platform’s transaction approval architecture.
NFT marketplaces need to step up their security game
In Murarka’s view, web apps making use of the Wyvern smart contract system should be augmented with usability improvements to ensure that users don’t fall for such phishing attacks time and time again, adding:
“Very clear warnings should be made to educate the user about phishing attacks and driving home the fact that emails will never be sent, soliciting the user to take any steps. Web apps like OpenSea should adopt a strict protocol to never communicate with users via email apart from maybe just registration data.”
That said, he did concede that even if OpenSea were to adopt the safest security/privacy protocols and standards, it is still up to its users to educate themselves about these risks. “Unfortunately, the web app itself is often held responsible, even though it was the user that was phished. Who is responsible? The answer is unclear,” he noted.
A similar sentiment is shared by Jessie Chan, chief of staff at ParallelChain Lab, a decentralized blockchain ecosystem, who told Cointelegraph that regardless of how the entire attack was orchestrated, the issue not entirely dependant on OpenSea’s existing security protocols but also on user awareness against phishing. The question remains whether the marketplace operator should have been able to provide sufficient information to its users to keep them informed of how to deal with such scenarios.
Another possibility to mitigate any potential phishing events is by having all interactions between users and their web apps being driven solely via the use of a dedicated mobile/desktop interface. “If all interactions required the use of a desktop app, such attacks could be bypassed completely.”
Providing his take on the subject, Yaffe noted that the main problem — which lies at the heart of this whole issue — is the basic architecture of most NFT marketplaces, enabling users to simply sign a carte blanche approval for a third-party contract to use their private wallet without setting a spending limit:
“Since the OpenSea team did not really figure out the source of the phishing operation, it might as well happen again next time they attempt to make a change to their architecture.”
What can be done?
Murarka noted that the best way to eliminate the possibility of these attacks is if people start making use of hardware wallets. This is because most software wallets as well as other custodial storage solutions are too vulnerable in their general design and operational outlook. He further elaborated: “Much like Bitcoin, Ethereum, etc, NFTs themselves should be moved to hardware wallet accounts instead of leaving them on a centralized platform,” adding:
“Users need to be super aware of the risks of responding to and acting upon emails they receive. Emails can be faked very easily, and users need to be proactive about the safety of their crypto assets.”
Another thing NFT owners need to remember is that they should only be visiting web apps that employ high-quality security protocols, checking that the accessed marketplaces utilize the HTTPS mechanism (at the very least) while being able to clearly see a lock symbol on the top left of their browser window — which correctly points to the intended company — while visiting any webpage.
Yaffe believes that users should be careful with contract approvals and keep an accurate track of the contracts they have greenlighted in the past. “Users should revoke unnecessary or unsafe approvals. If possible users should specify a reasonable spending limit for every contract approval,” he concludes.
Lastly, Chan believes that in an ideal scenario, users should keep their wallets on a dedicated platform that they don’t use to read email or browse the web, adding that any such avenues are subject to all manners of third party attacks. He further stated:
“This is inconvenient, but when dealing with assets of great value and where there is no recourse in the event of theft, extreme care is justified. And, as with all financial transactions, they should be very careful in deciding who to deal with, since the counterparties can also steal your assets and disappear.”
Therefore, while moving into a future driven by NFTs and other similar novel digital offerings, it remains to be seen how platforms operating within this space continue to evolve and mature, especially as a growing amount of capital keeps making its way into the NFT market.