Opensea Phishing Attack 19 February 2022 and the OpenDAO’s Response

Seeding compensation, seeding hope.

Users of the popular NFT marketplace OpenSea may be in for an unpleasant surprise when they check their crypto wallets this weekend. A complex phishing scheme is suspected to be behind the havoc experienced by NFT holders on Saturday 19 February 2022, after several users had NFTs stolen from their wallets. There is about 1.7 Million USD worth of ETH on the attacker’s account now.

This appears to be a pretty complex exploit and phishing attack.

At the time of writing, rumours are swirling on social media while the community anxiously await an official audit of the attack. Currently, several of the affected wallets have reported interacting with a malicious email, resembling an official OpenSea email, prompting them to take advantage of a limited time offer to migrate their NFTs to the new contract gas free. (Why OpenSea hasn’t implemented anti-phishing measures on emails like all the other crypto exchanges is beyond me.)

Unfortunately, If the user followed the “Get Started” link depicted, they will be forwarded to a fraudulent site. Once their wallets are connected, victims are then prompted to sign an Approve Alltransaction giving the attacker control to initiate transactions from their wallets. The attacker also seems to have saved some signature that were used later.

Unfortunately nobody ever reads what they signed.

Worse for hardware cold wallets, because all of them are using blind signing. There is literally no way to see what you are signing on your ledger or trezor.

The individual/group responsible for the attack has also brazenly sent ETH, and NFTs back to select victims. Within the wallet, currently they have numerous valuable assets including 3 Bored Ape Yacht Club, 2 Clonex, 17 Azuki, and 631 ETH. The attacker appears to have exploited users by having them sign a fraudulent signature to approve a private sale of your NFT at 0 ETH to the attacker’s wallet.

While some say it is a social engineering attack, @JacobOracle says it is a smart contract exploit. So we will wait to see where this story evolves.

How could this happen? Isn’t it supposed to be a smart contract?

All NFT marketplaces require at least 2 steps for the transfer and sale of an NFT.

The first is for users to commit the approval transaction on chain, to “allow” the smart contract to “do anything” to your NFT. Yes! That is the level of trust we are giving the smart contract when we sign the “benign” Approve transaction. Imagine some even give Approvepermissions to contracts that are not open source. It’s like leaving your house open to someone whom you have no idea what their intentions are.

The second step could be off chain or on chain. In OpenSea’s case, an off chain signature fulfilling certain criteria lets you list the NFT for sale, and if certain conditions are fulfilled, the “sale” will be executed by the contract. In this particular case, the signature has “allowed” the victim to “sell” the NFT at 0 ETH to the attacker.

What can I do now?

You might want to revoke all the approvals on your account. Users can check what smart contracts are given approvals to assets in your wallet at https://revoke.cash/.

1. Go to https://revoke.cash/.
2. Click Connect Wallet on the top right corner.
3. Click on NFTs.

4. Select Revoke and commit on the blockchain.

What is OpenDAO’s response?

1) Try to seed a compensation fund.

We are currently asking our token holders to allow us to use up to 170K USD from our treasury for this specific incident. If you hold $SOS, and you agree with what we are trying to achieve. Please go vote on this.

We must remember our Vision and Mission to compensate verified scam victims on OpenSea with $SOS.

Although our treasury has shrunk as part of the whole market contraction, our hearts 💕 are still very big.

You can also make a direct donation to the compensation gnosis safe, 0x5f17672F4a970bA8a080238676b8103E7Ceaea26. Thank you very much, you are a good samaritan, and good people will always be rewarded.

2) Try to collect the compensation claims.

If you are a victim, please submit your claim on this tally form. https://tally.so/r/3xEZdw

About the OpenDAO

A decentralized community of digital natives united by the common goals of:

• Building $SOS to be the central asset for the metaverse and web3 communities;
• Bridging the gap between existing intellectual property and the metaverse;
• Building core infrastructure for the non-fungible tokens (NFTs) ecosystem.

Missions

1. $SOS to be the “Top of the Mind” token for NFTs.
2. Support emerging artists and their original work.
3. Compensate verified scam victims on OpenSea with $SOS.
4. Drive education in the space.