Opensea phishing scandal reveals need for security in NFT landscape

Despite the continued volatility plaguing the digital asset industry, one niche that has undoubtedly continued to thrive is the non-fungi...

Despite the continued volatility plaguing the digital asset industry, one niche that has undoubtedly continued to thrive is the non-fungible token (NFT) market. This is made evident by the fact that a growing number of mainstream players, including Coca-Cola, Adidas, the New York Stock Exchange (NYSE) and McDonalds, among others, have made their way into the burgeoning ecosystem. of the metaverse. These last months.

Moreover, because in 2021 alone, global sales of NFT overcome at $40 billion, many analysts expect this trend to continue in the future. For example, the American investment bank Jefferies recently raised its market capitalization forecast for the NFT sector at over $35 billion for 2022 and over $80 billion for 2025 – a projection that was also echoed by JP Morgan.

However, as with any market that grows at such an exponential rate, security-related issues are also to be expected. In this regard, the important non-fungible token (NFT) market OpenSea was recently the victim of a phishing attack which took place just hours after the platform announced its planned week-long upgrade to remove all inactive NFTs.

Diving into the topic

On February 18, OpenSea revealed that it was going to launch a smart contract upgrade, requiring all of its users to transfer their listed NFTs from the Ethereum blockchain to a new smart contract. Due to the upgrade, users who did not facilitate the aforementioned migration risked losing their old inactive lists.

That said, due to the short migration time provided by OpenSea, hackers were presented with a powerful window of opportunity. Hours after the announcement, it was revealed that nefarious third parties had launched a sophisticated phishing campaign, stealing numerous users’ NFTs that were stored on the platform before they could be migrated to the new smart contract. .

Providing a technical breakdown of the case, Neeraj Murarka, CTO and co-founder of Bluezelle, a blockchain for the GameFi ecosystem, told Cointelegraph that at the time of the incident, OpenSea was using a protocol called Wyvern, a technology module standard which most NFT web applications use as it allows the management, storage and transfer of these tokens to user wallets.

Because the smart contract with Wyvern allowed users to work with NFTs stored in their “wallets”, the hacker was able to send emails to Opensea customers posing as a representative of the platform, encouraging them to sign “blind” transactions. Murarka added:

“Metaphorically, it was like signing a blank cheque. Normally this is acceptable if the payee is the intended recipient. Keep in mind that an email can be sent by anyone, but appear to have been sent by someone else. In this case, the beneficiary appears to be a single hacker who was able to use these signed transactions to effectively transfer and steal these users’ NFTs. »

Also, in an interesting turn of events, following the incident, the hacker apparently income some of the NFTs stolen from their rightful owners, with further efforts being made to return other lost property. Giving his opinion on the whole matter, Alexander Klus, founder of Creaton, a Web3 content creation platform, told Cointelegraph that the phishing email campaign used a malicious signature transaction to approve all holdings so they can be drained at any time. “We need better signature standards (EIP-712) so people can actually see what they’re doing when they approve a transaction.”

Finally, Lior Yaffe, co-founder and director of Jelurida, a blockchain software company, pointed out that the episode was a direct result of the confusion surrounding OpenSea’s poorly planned smart contract upgrade, as well as the architecture approval of platform transactions.

NFT marketplaces need to step up their security game

In Murarka’s view, web applications using the Wyvern smart contract system should be complemented with usability improvements to ensure that users do not repeatedly fall for such phishing attacks, adding:

“Very clear warnings should be made to educate the user about phishing attacks and make it clear that emails will never be sent, prompting the user to take action. Web applications like OpenSea should adopt a strict protocol to never communicate with users via email, except perhaps for registration data.

That said, he conceded that while OpenSea should adopt the most secure security/privacy protocols and standards, it’s still up to its users to learn about those risks. “Unfortunately, the web application itself is often held responsible, even if it is the user who has been phished. Who is responsible? The answer is unclear,” he noted.

A similar sentiment is echoed by Jessie Chan, Chief of Staff at ParallelChain Lab, a decentralized blockchain ecosystem, who told Cointelegraph that no matter how the whole attack was orchestrated, the problem doesn’t depend on not entirely OpenSea’s existing security protocols, but also user awareness against Phishing. The question remains whether the marketplace operator should have been able to provide enough information to its users to keep them informed on how to deal with such scenarios.

Another possibility to mitigate any potential phishing event is to have all interactions between users and their web applications driven only through the use of a dedicated mobile/desktop interface. “If all interactions required the use of a desktop application, such attacks could be circumvented completely.”

Giving his opinion on the subject, Yaffe noted that the main problem – which is at the heart of this whole problem – is the basic architecture of most NFT markets, allowing users to simply sign a white card approval for a third-party contract to use. their private wallet without setting a spending limit:

“Since the OpenSea team hasn’t quite identified the source of the phishing operation, it might as well happen again the next time they try to change their architecture.”

What can be done?

Murarka noted that the best way to eliminate the possibility of these attacks is for people to start using hardware wallets. This is because most software wallets as well as other custody storage solutions are too vulnerable in their overall design and operational outlook. He further clarified, “Like Bitcoin, Ethereum, etc., NFTs themselves should be moved to hardware wallet accounts instead of leaving them on a centralized platform,” adding:

“Users should be very aware of the risks of responding to and acting on emails they receive. Emails can be tampered with very easily and users should be proactive about the security of their crypto assets.

Another thing NFT owners should remember is that they should only visit web applications that use high-quality security protocols, verifying that the marketplaces being visited use the HTTPS mechanism (at the very least) while being able to clearly see a lock symbol on the top left of their browser window — which correctly points to the targeted business — when they visit any web page.

Yaffe believes that users should be careful with contract approvals and keep accurate track of contracts they have approved in the past. “Users should revoke unnecessary or dangerous approvals. If possible, users should specify a reasonable spending limit for each contract approval,” he concludes.

Related: Cointelegraph Partners with Nitro Network to Bring Digital Mining and Decentralized Internet to the Masses

Finally, Chan believes that in an ideal scenario, users would keep their wallets on a dedicated platform that they don’t use to read emails or browse the web, adding that these pathways are subject to all sorts of third-party attacks. He further stated:

“It’s inconvenient, but when it comes to high value goods and where there is no recourse in the event of theft, extreme caution is warranted. And, as with all financial transactions, they have to be very careful when deciding who to deal with because counterparties can also steal your assets and disappear.

Therefore, while moving towards a future driven by NFTs and other similar innovative digital offerings, it remains to be seen how the platforms operating in this space continue to evolve and mature, especially as a growing amount of capital continues to enter the NFT market.