A devastating hit transpired this past Saturday for NFT devotees. OpenSea, the internet’s largest NFT marketplace, experienced a hack that left many images vulnerable. Hundreds of NFTs were stolen, with an estimated total of $1.7 million.
This hack occurred Saturday night between 5 PM and 8 PM EST. 32 different users were targeted during the attack, with hackers stealing over 250 NFTs in the process. Many blame the OpenSea site specifically for compromising privacy measures for their tokens.
New protocol for the OpenSea website could be the culprit for this February 19 attack. Either a recent contract from OpenSea or a possible airdrop availability from a website called X2Y2 left security measures in the dust. NFT owners encouraged others to deny permission for OpenSea’s new contract and to ensure X2y2 can’t airdrop to their computers. Whatever specifically occurred, it’s clear something happened for OpenSea’s security implementations to fail.
Devin Fenzer, the CEO of OpenSea, pinned a tweet to his Twitter bio holding the possible reasoning for Saturday’s event. This new contract that OpenSea had users sign was a partial contract, with extensive portions left blank. After users signed the online document, hackers could complete the rest, transferring NFT ownership from the rightful owner to the attacker. It’s unclear how hackers had access to the private document, but a detrimental opening in OpenSea’s website provided an opportunity for dubious characters to strike.
In the past year of OpenSea’s expanding NFT marketplace, there have been other issues of attackers accessing users’ blockchains. Since the NFT boom, OpenSea has become the largest marketplace for people to bid, sell, and display their valuable NFTs. This has attracted many attempting to swipe the tokens due to their immense profit. Over the last year, outdated contracts or “poisoned” tokens have been used to try and steal NFTs from their rightful owners.
In October 2021, hackers created malicious tokens to gain control of actual NFTs in the OpenSea marketplace. After the user was gifted this “poisoned” NFT and clicked on it, they became vulnerable to an attack. If the gifted token was left untouched, the user was completely safe from the malware. OpenSea cracked down on this confusing and nefarious gift-giving process within the hour. Though malicious tokens aren’t going around in 2022, hackers are becoming more creative in gaining access to valuables from NFT owners.
OpenSea management denies that the new contracts were the sole reason for a data breach. Even though $1.7 million is a lot to lose, only a few hundred NFTs were targeted, which does not indicate a massive flaw in the company’s contracts. The relatively minuscule number of breaches could mean that OpenSea’s security issue was a minor one, which was solved quickly by the company’s software team.
OpenSea’s CEO stated on Twitter that he’s still committed to figuring out exactly how this attack happened and how it will be prevented in the future. As the largest NFT marketplace, the company has much to prove to ensure users feel safe operating within the website. As a popular platform for NFT purchases, it’s no wonder hackers worldwide would be attracted to this website in hopes of swiping a token or two.