Despite the continued volatility affecting the digital asset sector, One niche that has certainly continued to flourish is the non-fungible token (NFT) market., for its acronym in English). This is made evident by the fact that a growing number of companies moving among the general public, such as Coca-Cola, Adidas, the New York Stock Exchange (NYSE) and McDonalds, among many others, have made their way in the burgeoning Metaverse ecosystem in recent months.
Furthermore, because Over the course of 2021 alone, global NFT sales reached $40 billion., many analysts expect this trend to continue in the future. For example, US investment bank Jefferies recently raised its market capitalization forecast for the NFT sector to over $35 billion by 2022 and over $80 billion by 2025, a projection that was also made echo JP Morgan.
However, as with any market that grows at such an exponential rate, security-related issues are also to be expected. In this sense, the prominent non-fungible token (NFT) market OpenSea was recently the victim of a phishing attack which came just hours after the platform announced its planned week-long update to delist all inactive NFTs.
Going deeper into the topic
On February 18, OpenSea revealed that it was going to initiate a smart contract upgrade, requiring all its users to transfer their listed NFTs from the Ethereum blockchain to a new smart contract. Due to the update, users who did not facilitate such migration were at risk of losing their old and inactive listings.
Due to the short migration window provided by OpenSea, hackers were presented with a powerful window of opportunity. Within hours of the announcement, it was revealed that Nefarious third parties have started a sophisticated phishing campaign, stealing NFTs from many users that were stored on the platform before they could be migrated to the new smart contract.
We are actively investigating rumors of an exploit associated with OpenSea related smart contracts. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click links outside of https://t.co/3qvMZjxmDB.
— OpenSea (@opensea) February 20, 2022
We are actively investigating rumors of an exploit associated with OpenSea-related smart contracts. This appears to be a phishing attack originating outside of the OpenSea website. Do not click on external links from https://t.co/3qvMZjxmDB.
Providing a technical breakdown of the matter, Neeraj Murarka, CTO and co-founder of Bluezelle, a blockchain ecosystem for GameFi, told Cointelegraph that At the time of the incident, OpenSea was making use of a protocol called Wyvern, a standard technological module that most NFT web applications use as it allows the management, storage and transfer of these tokens within users’ wallets..
As the smart contract with Wyvern allowed users to work with the NFTs stored in their “wallets”, a hacker was able to send emails to Opensea customers posing as a representative of the platform, encouraging them to sign transactions “blindly”. Murarka further added:
“Metaphorically, this was like signing a blank check. Normally, this is fine if the payee is the recipient. Keep in mind that an email can be sent by anyone, but make it look like it was sent by someone else. In this In this case, the beneficiary appears to be a single hacker who was able to use these signed transactions to effectively transfer and steal NFTs from these users.”
Also, in an interesting turn of events, after the incident, the hacker apparently gave back some of the NFTs stolen from their rightful owners, and more efforts are being made to return other lost assets. Providing his take on the whole matter, Alexander Klus, founder of Creaton, a Web3 content creation platform, told Cointelegraph that the phishing email campaign used a malicious signature transaction to approve that all holdings could be drained at any time. “We need better signing standards (EIP-712) so people can actually see what they’re doing when approving a transaction.”
Lastly, Lior Yaffe, co-founder and director of Jelurida, a blockchain software company, noted that the episode was a direct result of the confusion surrounding OpenSea’s poorly planned smart contract upgrade, as well as the platform’s transaction approval architecture.
NFT markets must improve their security
In Murarka’s opinion, web applications that make use of the Wyvern smart contract system should be bolstered with usability improvements to ensure that users don’t fall for this type of phishing attack again and againand added that:
“Very clear warnings should be made to educate the user about phishing attacks and make them aware that emails will never be sent asking the user to do something. Web applications like OpenSea should adopt a strict protocol to never communicate with users through via email, apart from the registration data”.
That said, he admitted that Even if OpenSea were to adopt the most secure security/privacy protocols and standards, it remains the responsibility of its users to educate themselves about these risks.. “Unfortunately, the web application itself is often blamed, even though the user was the one who was phished. Who is responsible? The answer is not clear,” he says.
A similar view is shared by Jessie Chan, chief of staff at ParallelChain Lab, a decentralized blockchain ecosystem, who told Cointelegraph that, Regardless of how the entire attack was orchestrated, the problem is not entirely dependent on the existing security protocols in OpenSea, but also on users’ awareness against phishing.. The question remains whether the market operator should have been able to provide enough information to its users to keep them informed on how to deal with such scenarios.
Another possibility to mitigate any potential phishing event is for all interactions between users and your web applications to be done solely through the use of a dedicated desktop/mobile interface.. “If all interactions required the use of a desktop application, these attacks could be completely avoided.”
Offering his opinion on the matter, Yaffe pointed out that the main problem – which is at the heart of this whole issue – is the basic architecture of most NFT marketplaces, allowing users to simply sign a carte blanche approval for a third-party contract to use their private wallet without setting a spending limit:
“Since the OpenSea team didn’t actually discover the origin of the phishing operation, it’s possible that it will happen again the next time they try to make a change to their architecture.”
What can be done?
Murarka pointed out that the best way to eliminate the possibility of these attacks is for people to start using hardware wallets. This is because most software wallets, as well as other escrow solutions, are too vulnerable in their overall design and operational perspective. Further, he explained: “As with bitcoin, Ethereum, etc., the NFTs themselves should be moved to hardware wallet accounts rather than being left on a centralized platform,” adding that:
“Users need to be very aware of the risks of responding to the emails they receive and act accordingly. Emails can be spoofed very easily, and users need to be proactive about the security of their crypto assets.”
Another thing NFT owners need to remember is that they should only visit web applications that employ high-quality security protocols, checking that the markets being accessed use the HTTPS mechanism (at a minimum) and being able to clearly see the lock symbol at the top left of their browser window—correctly pointing to the business you are targeting—while visiting any web page.
Yaffe believes that users should be careful with contract approvals and accurately track contracts that have been greenlit in the past. “Users should revoke unnecessary or insecure approvals. If possible, users should specify a reasonable spending limit for each contract approval“, he concludes.
Finally, Chan believes that, In an ideal scenario, users should keep their wallets on a dedicated platform that they do not use to read email or browse the web, adding that any of these routes is subject to all kinds of attacks by third parties. Furthermore, he stated:
“This is inconvenient, but when it comes to high-value assets and where there is no recourse in the event of theft, extreme care is warranted. And, as in all financial transactions, they must be very careful when deciding with who they deal with, as counterparties can also steal their assets and disappear.
So, as we head into a future powered by NFTs and similar new digital offerings, it remains to be seen how the platforms operating in this space continue to evolve and matureespecially as an increasing amount of capital continues to make its way into the NFT market.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading: