Despite the ongoing volatility in the digital asset space, one niche that has undoubtedly continued to flourish is the non-fungible token (NFT) market. This is evidenced by the fact that a growing number of mainstream movers and shakers have made their way into the metaverse ecosystem, including Coca-Cola, Adidas, the New York Stock Exchange (NYSE) and McDonald’s, among many others. in recent months.
Furthermore, due to the fact that global NFT sales exceeded $40 billion during 2021 alone, many analysts expect this trend to continue in the future. For example, US investment bank Jefferies recently raised its market cap forecast for the NFT sector to over $35 billion for 2022 and over $80 billion for 2025 – a projection that was also mirrored by JPMorgan. did.
However, as with any market growing at such an exponential rate, security-related issues are to be expected as well. In this regard, major non-fungible token (NFT) market OpenSea recently fell victim to a phishing attack, just hours after the platform announced its week-long planned upgrade to remove all dormant NFTs.
dive into the case
On February 18, OpenSea revealed that it was launching a smart contract upgrade that required all of its users to move their listed NFTs from the Ethereum blockchain to a new smart contract. Due to the upgrade, users who failed to facilitate the above migration were at risk of losing their old and inactive listings.
That said, because of the short migration time frame provided by OpenSea, hackers were presented with a powerful window of opportunity. Within hours of the announcement, it was revealed that nefarious third-party individuals had launched a sophisticated phishing campaign, stealing NFTs from multiple users stored on the platform before being migrated to the new smart contract.
We are actively investigating rumors of exploits involving smart contracts related to OpenSea. This appears to be a phishing attack originating outside of OpenSea’s website. Do not click on links outside https://t.co/3qvMZjxmDB.
— opensea (@opensea) February 20, 2022
Providing a technical analysis of the matter, Neeraj Murarka, chief technical officer and co-founder of BlueZeal, a blockchain for the GameFi ecosystem, told Cointelegraph that at the time of the incident, OpenSea was using a standard technical module, a protocol called Wyvern. was using. Most NFT web apps make use of it because it allows the management, storage and transfer of these tokens in users’ wallets.
Because the smart contract with Wyvern allowed users to work with NFTs stored in their “wallets”, the hacker was able to send emails to OpenC customers posing as representatives of the platform, allowing them to sign “blind” transactions. encouraged to. Murarka added:
“Metaphorically, it was like signing a blank check. Generally, it’s fine if the recipient is the intended recipient. Keep in mind that the email can be sent by anyone, but it appears that the email is someone else’s.” In this case, the recipient appears to be a single hacker who was able to use these signed transactions to effectively transfer and effectively steal NFTs from these users.
Furthermore, in an interesting turn of events, after the incident the hacker apparently Returned While some stolen NFTs have been handed over to their rightful owners, further efforts are on to recover other lost assets. Giving his opinion on the whole matter, Alexander Klus, founder of Web3 content creation platform, Creatone, told Cointelegraph that the phishing email campaign was a malicious attempt to clear all holdings in order to be able to liquidate all holdings at any time. Signature transaction used. “We need better signature standards (EIP-712) so that people can actually see what they are doing when they approve a transaction.”
Finally, Lior Yaffe, cofounder and director of blockchain software company Gelurida, explained that the episode was a direct result of OpenC’s poorly planned smart contract upgrade, as well as confusion surrounding the platform’s transaction approval architecture.
NFT Marketplace needs to step up its security game
In Murarka’s view, web apps that use the Wyvern smart contract system should be augmented with usability improvements to ensure that users do not fall repeatedly to such phishing attacks, adding:
“A very clear warning should be given to educate the user about phishing attacks and to drive home the fact that emails will never be sent, asking the user to take some action. Web apps like OpenSea need to be used in addition to just registration data.” A strict protocol should be adopted not to communicate with users through email.”
That said, he acknowledged that even if OpenC was to adopt the most secure security/privacy protocols and standards, it is still up to its users to educate themselves about these risks. “Unfortunately, the web app is often held responsible, even if it was the user who was phished. Who is responsible? The answer is unclear,” he said.
A similar sentiment is shared by Jesse Chan, chief of staff at ParallelChain Lab, a decentralized blockchain ecosystem, who told Cointelegraph that regardless of how the entire attack was executed, the issue is entirely based on OpenC’s existing security protocols. but also depends on user awareness against it. The phishing question is whether the marketplace operator should have been able to provide enough information to keep its users informed about how to deal with such scenarios.
Another possibility to mitigate any potential phishing events is that all interactions between users and their web apps are conducted entirely through the use of a dedicated mobile/desktop interface. “If all interactions require the use of a desktop app, such attacks can be circumvented entirely.”
Giving his opinion on the subject, Yaffe said that the main problem – which is at the heart of this entire issue – is the basic architecture of most NFT marketplaces, which allow users to sign carte blanche approval for third-party contracts to use. enables to do. His personal wallet without setting spending limits:
“Since the OpenSea team didn’t actually trace the source of the phishing operation, it could happen again the next time they try to make changes to their architecture.”
What can be done?
Murarka said the best way to eliminate the possibility of these attacks is for people to start using hardware wallets. This is because most software wallets as well as other custodial storage solutions are very weak in their general design and operational approach. He further elaborated: “NFTs, like bitcoin, ethereum, etc., should be moved to hardware wallet accounts rather than leaving themselves on a centralized platform,” adding:
“Users need to be super aware of the risks of responding to and acting on emails they receive. Emails can be fake very easily, and users need to be proactive about protecting their crypto assets. the wanted.”
Another thing NFT owners need to remember is that they should only visit web apps that employ high-quality security protocols, checking that the marketplaces accessed use (at least) the HTTPS mechanism. While the locks are able to see the symbol clearly. When visiting any webpage – in the top left of their browser window – that correctly points to the desired company.
Yaffe believes that users should be mindful of contract approvals and keep accurate track of the contracts they have flagged in the past. “Users should revoke unnecessary or unsafe approvals. Users should specify an appropriate spending limit for each contract approval, if possible,” he concluded.
Related: Cointelegraph Partners With Nitro Networks To Bring Digital Mining And Decentralized Internet To The Masses
Ultimately, Chan believes that in an ideal scenario, users should keep their wallets on a dedicated platform that they don’t use to read email or browse the web, adding that such are subject to all methods of third party attacks. he adds:
“It is inconvenient, but when dealing with property of great value and there is no recourse in the event of theft, extreme caution is appropriate. And, as with all financial transactions, they must be very careful in deciding who to deal with. Because the counterparty can also steal your assets and disappear.”
Therefore, moving into a future driven by NFTs and other similar novel digital offerings, it remains to be seen how the platforms operating within this space continue to develop and mature, especially as increasing amounts of capital make their way into the NFT market. Keeps making.
