from Hacker News

Possible significant OpenSea exploit; high value NFTs stolen

by zydex on 2/20/22, 12:32 AM with 17 comments

  • by rvz on 2/20/22, 1:16 AM

    Listen to the disaster in real time: https://twitter.com/0xBiZzy/status/1495199867152523265

    Etherscan and revoke.cash are down. This is the web3 utopia hype they have been screaming about yet the centralized services they use (Etherscan) are going down, NFTs being stolen via a vulnerability in OpenSea and there is no way to get them back. Ha.

    What a magnificent disaster.

  • by chizhik-pyzhik on 2/20/22, 1:37 AM

    This appears to be a phishing attack: https://twitter.com/cyphreth/status/1495206957589925892 https://twitter.com/0xfoobar/status/1495208279210876930

    Example attacker transaction: https://ethtx.info/mainnet/0x18c0b67adf306b7f0da948e238c1397...

    We see that this tx performs 3 layers of delegation, whereas normally the opensea WyvernExchange contract needs 2 (user's proxy delegates action to WyvernAtomicizer, which performs the transfer.) In this case there's another layer: user proxy delegates to attacker contract 0xa2c0946ad444dccf990394c5cbe019a858a945bd, which then calls the Atomicizer to do a malicious transfer.

  • by Kye on 2/20/22, 4:17 AM

    While I'm no fan of cryptocurrency in general, it does seem like the space has plenty of people who understand security. The steady stream of high profile NFT hacks suggests none of them want to go near NFTs. If all the people NFTs are supposed to help won't touch them, and all the smart security people won't touch them, maybe there's a reason.

  • by cuteboy19 on 2/20/22, 5:38 AM

    I think we should stop using normative terminology like "stealing" when talking about NFTs and stuff. Code is law and the code says it belongs to the hacker. Maybe "involuntary transfer" is a better phrase instead

  • by darthrupert on 2/20/22, 10:33 AM

    Yet nothing of value was lost. Weird.