A few years ago we heard of how people lost their private keys to their BTC wallets thereby have been unable to recover their funds. For those who have been in the space for long, you must have been conversant with these stories or even have had the experience of losing your private keys. Back then, the ignorance in securing private keys was high due to terrible UIs and paper wallets.
The evolution of crypto has brought about an ever increasing UX improvements with the advent of wallets like Ledger and MetaMask. With all these improvements, it is still very easy to lose your assets. Last weekend, we got a reminder of this after a hacker launched a suspected phishing hack on OpenSea users, with over thirty victims losing millions of dollars worth of high-value NFTs.
Although full post-mortem report is yet to be published by Opensea, on-chain data shows that the hacker deployed a smart contract that used a call to OpenSea’s contract.
OpenSea issued an upgrade on the 18th of February, 2022, requesting users to migrate their listings. "In 1 week, at 2pm ET on Friday, February 25, any listings you haven’t migrated will expire. If you miss the migration window, you’ll be able to re-list any expired listings without incurring additional fees (including gas fees)."
Due to the short notice, it allowed the hacker(s) to exploit the upgrade notification that was sent via email to all users in the NFT marketplace. They sent out an email that lured users into signing a transaction that gave the hacker approval to hack their wallets.
A twitter user - @isotile, in a four-tweets thread tried to explain the hack.
The @opensea upgrade is meant to solve old issues that are caused by old listings. That is, if a trader lists an NFT for sale on OpenSea, gas fees are required for the listing. In a scenario where the trader lists an NFT for say 5 ETH where gas fees were paid; when the trader wishes to relist the NFT for say 10 ETH, OpenSea allows it to be relisted without an additional charge of gas fees.
However, the old listing (5 ETH) is never really cancelled. In order to cancel the old listing, gas fees are required per listing. As OpenSea is allowing relisting without paying gas fees, if NFTs that are currently worth over $10,000 were ever listed for sale at $50 a year ago, the $50 listing is still active. This was the loophole the hacker(s) exploited.
Another concern is that when the listing is cancelled it can be exploited in the blockchain by frontrunning. When an old listing is manually cancelled by the NFT owner, it can be exploited in the block via bots. When the cancellation is in the block and yet to be confirmed, it can be exploited by executing the sale in the same block. For example, if an NFT that is currently worth $10,000 was ever listed for $50 and the owner cancels the listing, before it is confirmed in the block, hackers may execute the sale of $50 in the same block before it is confirmed this is termed 'frontrunning'.
OpenSea's upgrade is meant to ameliorate these issues by ensuring old listings expire. However, due to the short notice, the hacker(s) used a phishing attack to maliciously obtain these NFTs.
OpenSea issued the following statement, "We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea's website."
Despite the statement and the circulation of the news, NFTs were still being transferred to the hackers’ address. The value of the stolen NFTs is estimated to be over $1.6 million.
One of the hack victims, Timothy McKimmy filed a lawsuit in Texas against OpenSea for losing his Bored Ape Yatch Club NFT. It has been reported that the BAYC NFT is Bored Ape #3475, which was among the rare NFTs of the series. Following the attack, the hacker(s) resold McKimmy's BAYC NFT for 99 ETH.
McKimmy claims that OpenSea were aware of the bug but left it unaddressed, refusing to take down the platform to resolve the security issues. While this is one of the most high-profile example of such an attack in recent memory, hacks like this are happening frequently in recent times.
Years back during the early Bitcoin era, one’s biggest security risks were either trading away your assets, losing your private keys, or leaving them on an exchange like Mt. Gox before it collapsed.
The emergence of Web3 has come with various kinds of news security risks. With smart contract platforms like Ethereum and NFT marketplaces like OpenSea, there is always a danger of approving a malicious smart contract function without even realizing that you are signing away your funds. And all it takes is one click.
There are a few steps that everyone should follow once they start investing in crypto assets and NFTs. Below are some of operational security steps to take in securing your assets:
It is important to know how to revoke permissions associated with a crypto wallet. Phishing attacks like the OpenSea hack are a major concern because signing only one malicious signature may result in the loss of every NFT and/or assets stored in your wallet. You can revoke wallet permissions by going to the Token Approval page on Etherscan, connect your wallet and finding the token approvals for each app the wallet has interacted with.
It is recommended to avoid approving blind signatures. Following the OpenSea hack, its CTO, Nadav Hollander said in a tweet thread that valid signatures from the victims were exploited on the Wyvern V1 contract before they [OpenSea] migrated to Wyvern V2.3. Users “did sign an order somewhere, at some point in time, at some point in time,” he said. This suggests that the victims may have inadvertently ‘blindly’ signed malicious contracts.
Avoid mixing Web3 with and emails. One of the best tips in operational security is to avoid interacting with Web3 app using links posted via email or social media. It is best to avoid clicking on any crypto-related links unless you are sure they are from an official source. Due to the rise of deep fake emails, hackers have found ways to send emails that appear to resemble any email domain they like. You should be wary of all emails that demand a transaction from MetaMask or any other Web3 wallet, even if it appears to be from an official source.
Cold storage. A cold storage is an offline storage of cryptocurrencies, typically involving hardware non-custodial wallets, USBs, offline computers, or paper wallets. It is recommended to move high-value assets including rare NFTs to cold storage devices that do not interact with any app.
The innovations in in the crypto and Web3 sphere has brought about many opportunities to create wealth, this is true. It is also true that there are also many ways to lose everything. You should always take caution and follow operational security steps when investing to secure assets. As they say, you can never be too careful.
ICYMI
A Sotheby’s auction of over 100 CryptoPunk NFTs ended before it began. Link
FTX hires Lauren Remington Platt of Vesette as Head Luxury Partnerships. Link
Coldplay and Ed Sheeran’s label, Warner Group, partners with blockchain game developer. Link
Ethereum scaling solution StarkNet completes launch – with goal to move to community control. Link
Indian Advertising Regulator Releases New Guidelines For Crypto Ads. Link