OpenSea Investigating ‘Exploit Rumors’ as Users Complain of Missing NFTs
Emails purporting to be from the NFT marketplace about a planned smart contract migration may have been a phishing attack.
Updated May 11, 2023 at 5:55 p.m. UTC
- “We are actively investigating rumors of an exploit associated with OpenSea related smart contracts,” OpenSea posted to Twitter Saturday night U.S. hours. “This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of opensea.io.”
- Around 10:50 p.m. ET, OpenSea CEO Devin Finzer followed up in a tweet that “32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.” He added that the company is “not aware of any recent phishing emails that have been sent to users,” and suggested a fraudulent website may be to blame.
- OpenSea had planned to revise its smart contract (the code governing its trading platform, essentially) by releasing a brand-new contract on Friday. The upgraded contract was intended to ensure old, inactive listings on the platform would eventually expire.
- On Twitter, traders shared what they’d initially thought were official OpenSea emails about the migration process from contract A to contract B.
- PeckShield, a blockchain security company that audits smart contracts, stated that the rumored exploit was “most likely phishing” – a malicious contract hidden in a disguised link. The company cited that same mass email about the migration process as one of the possible sources of the link.
- The apparent attacker’s address (which the blockchain explorer website Etherscan has already slapped with a “phish/hack” warning badge) holds about $1.7 million worth of ether (ETH), as well as three tokens from the Bored Ape Yacht Club, two Cool Cats, one Doodle and one Azuki.
Update (Feb. 20, 04:42 UTC): Adds public statement from OpenSea CEO.