Opensea has ruled out its new contract migration as a vector for the attack on its platform.
Opensea, the NFT marketplace known for its dominance of the space was attacked by a malicious player in the course of the migration to a new smart contract. The platform which is the biggest in the NFT space was subjected to a phishing attack that exploited the account of some users who have signed their wallets at some points without making submissions to the platform.
An end of day update on the recent ecosystem phishing attack ↯
— OpenSea (@opensea) February 22, 2022
In an update regarding the attack, the platform wrote Twitter that it was investigating the enormity of the attack to determine the users that were affected.
Nadav Hollander, Opensea’s CTO stated that after the orders made by the attacker were reviewed, that it was found that:
“All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing.”
He however clarified that none of the malicious orders made by the attacker was executed because the new contract that Opensea has migrated to did not recognize them.
The new Opensea contract, known as Wyvern 2.3 to which the platform will complete its migration to on February 25.
Hollander said that the targeted attack led to the theft of the NFTs of 32 users on the platform. He said that forensic investigation concluded that the attacker took advantage of the depreciation of the previous smart contract in the course of the migration to the new contract.
Preventive Measures Against Future Attacks
The CTO said that, in light of the attack, that the platform has implemented EIP-712 on the new contract to ensure that malicious players do not succeed in tricking a user into signing an order without being aware that they did.
The new implementation will ensure that users are warned whenever they sign contracts. He said that despite the widespread knowledge that seed phrases must not be shared, signing off-chain messages come with some challenges that demand extra care. He added that:
“We as a community must move to standardizing off-chain signatures using EIP-712 typed data or other agreed-upon standards like EIP-4361 (the “Sign in with Ethereum” method).”
Orders on Opensea are now implemented in the EIP-712 format, according to Hollander.