The latest vulnerability discovered by OpenSea raises a wider and more serious question about the global NFT ecosystem’s existing security infrastructure.
Despite the current instability in the digital asset market, the nonfungible token (NFT) market has unquestionably continued to thrive. This is evidenced by the fact that, in recent months, a rising number of major players, like Coca-Cola, Adidas, the New York Stock Exchange (NYSE), and McDonalds, among others, have entered the booming Metaverse ecosystem.
Furthermore, many analysts expect this tendency to continue in the future, owing to the fact that global NFT sales reached $40 billion in 2021 alone. For example, Jefferies, an American investment firm, recently boosted its market-cap forecast for the NFT industry to over $35 billion in 2022 and over $80 billion in 2025, a prediction repeated by JP Morgan.
However, as with any market that is growing at such a rapid rate, security concerns must be anticipated. In this regard, the popular nonfungible token (NFT) marketplace OpenSea was recently targeted by a phishing attack, which occurred just hours after the platform announced a week-long upgrade to remove all inactive NFTs.
Examining the situation
On February 18, OpenSea announced that it would begin a smart contract upgrade that would require all of its customers to move their listed NFTs from the Ethereum blockchain to a new smart contract. Users who failed to facilitate the above-mentioned migration risked losing their old and inactive listings as a result of the upgrade.
However, hackers were given with a powerful window of opportunity due to OpenSea’s short migration deadline. Within hours of the release, it was revealed that malicious third parties had launched a sophisticated phishing effort, taking NFTs from many of the platform’s users before they could be moved to the new smart contract.
According to Neeraj Murarka, chief technical officer and cofounder of Bluezelle, a blockchain for the GameFi ecosystem, OpenSea was using a protocol called Wyvern at the time of the incident, which is a standard tech module that most NFT web apps use because it allows for the management, storage, and transfer of these tokens within users’ wallets.
The hacker was able to send emails to OpenSea clients posing as a representative for the platform, pushing them to execute “blind” transactions because the smart contract with Wyvern allowed users to operate with the NFTs stored in their “wallets.
In an unexpected turn of events, the hacker appears to have returned some of the stolen NFTs to their rightful owners following the incident, with additional efforts being made to recover other lost assets. According to Alexander Klus, founder of Creaton, a Web3 content creation platform, the phishing email campaign employed a fraudulent signing transaction to approve all holdings to be drained at any time, according to Cointelegraph. “Better signature standards are required (EIP-712) so that users can see what they’re doing when accepting a transaction.”
Finally, Lior Yaffe, cofounder and director of Jelurida, a blockchain software startup, pointed out that the incident was caused by uncertainty over OpenSea’s poorly conceived smart contract upgrade and the platform’s transaction approval architecture.
NFT markets must improve their security.
Web apps that use the Wyvern smart contract system, according to Murarka, should be reinforced with usability enhancements to ensure that consumers don’t fall for phishing assaults again and again, adding:
“Extremely clear warnings should be issued to educate users about phishing attacks and to emphasise the fact that emails will never be delivered that ask the user to take any action.” Web programmes like OpenSea should enforce a rigorous policy of never communicating with users via email, with the exception of maybe registering data.”
He did acknowledge, however, that even if OpenSea adopted the safest security/privacy protocols and regulations, it is still the responsibility of its users to educate themselves about the hazards. “Unfortunately, even if the user was the one who was phished, the web app is frequently blamed.” Who is to blame for this? “The answer is ambiguous,” he stated.
Jessie Chan, chief of staff at ParallelChain Lab, a decentralised blockchain ecosystem, expressed a similar sentiment to Cointelegraph, saying that regardless of how the attack was carried out, the issue is not solely dependent on OpenSea’s existing security protocols, but also on user awareness of phishing. The question remains whether the marketplace operator could have provided enough information to its customers to keep them aware about how to handle such situations.
Another way to avoid phishing attacks is to have all interactions between users and their online apps run through a specialised mobile/desktop interface. “Such attacks might be fully avoided if all interactions required the use of a desktop software.”
Yaffe explained that the main issue — which is at the heart of the whole issue — is the basic architecture of most NFT marketplaces, which allows users to sign a carte blanche approval for a third-party contract to use their private wallet without setting a spending limit:
“Since the OpenSea team was unable to determine the source of the phishing operation, it is possible that it will occur again the next time they seek to update their design.”
What options do we have?
The easiest way to eliminate the likelihood of these assaults, according to Murarka, is for individuals to start using hardware wallets. This is due to the fact that most software wallets and other custodial storage solutions are too insecure in terms of design and operation. “Much like Bitcoin, Ethereum, and other centralised platforms, NFTs itself should be relocated to hardware wallet accounts instead of being left on a centralised site,” he continued, adding:
“Users must be acutely aware of the dangers of responding to and acting on emails. Users must be proactive about the safety of their crypto holdings because emails can be readily spoofed.”
Another thing NFT owners should keep in mind is that they should only use web apps that use high-quality security protocols, making sure that the accessed marketplaces use the HTTPS mechanism (at the very least) and that they can clearly see a lock symbol on the top left of their browser window — which correctly points to the intended company — while visiting any webpage.
Users should be cautious about contract approvals, according to Yaffe, and keep accurate records of the contracts they have previously approved. “Users should remove any approvals that are unneeded or dangerous.” Users should designate a fair cost limit for each contract approval if at all possible,” he says.
Finally, Chan believes that in an ideal case, users should keep their wallets on a separate platform that they don’t use to receive email or surf the web, noting that such platforms are vulnerable to third-party assaults. She continued, saying:
“This is annoying, but extra caution is required when dealing with high-value items where there is no redress in the event of theft.” They should also be cautious in choosing who to deal with, as they should in all financial transactions, because counterparties can steal your assets and disappear.”
As a result, as we move into a future dominated by NFTs and other creative digital products, it will be interesting to see how platforms in this field change and mature, especially as a significant amount of cash pours into the NFT market.
We are the biggest NFT marketing agency with the reach over 30 million people.
This article is just for educational purposes.
Make your own exploration before making any form of investment, as always.
Possessors, holders, suckers, members of the community, jumbos. Want to give your composition a boost by putting it at the top of the homepage? == > Get in touch with us!