Subscribe to our Telegram channel
Critical threat: hackers have gained access to steal any NFT on the largest NFT token marketplace
Security researchers from Pocket Universe have discovered a critical vulnerability in one of the old smart contracts of the OpenSea NFT marketplace, which allows hackers to steal any non-fungible tokens placed on the platform until May 2022.
According to experts, the exploit was detected during the marketplace’s transition to the Seaport protocol, after which the researchers managed to communicate with one of the victims who lost his NFTs.
1. What could you lose? 💸
Well, it can drain any NFT that you've listed on Opensea from before May 2022
That's before they updated to Seaport pic.twitter.com/8yMCytSjjz
— Pocket Universe 🟣 (@PocketUniverseZ) October 28, 2022
The Seaport update took place on May 23, so all NFTs placed on the marketplace before then are at risk. To verify NFT orders, OpenSea uses the Wyvern protocol: when tokens are listed, a proxy contract is generated with the right to return them. The user authorizes this operation by adding his or her address. Thanks to the exploit, hackers change the address for the NFT return. Thus, when listing tokens, users authorize the return to the hackers' address.
Given that this exploit has not been publicly reported before, Pocket Universe researchers believe that there may be many victims. Therefore, users are advised to carefully check all transactions and revoke any authorizations for old contracts. This way, hackers will not be able to return the user’s tokens to their address.
Ransomware is not the only problem of the marketplace, as in late August, members of the crypto community were outraged by innovations from OpenSea. The platform has made changes to its policy of combating stolen NFTs, allowing users to resell stolen non-fungible tokens if the marketplace does not receive notifications from law enforcement. According to a post on OpenSea’s official Twitter account, if law enforcement agencies do not respond to such resale within seven days after the stolen NFTs are posted, NFT owners have the right to trade them. This is how OpenSea representatives fight against false complaints of theft.