Nadav Hollander

Technical Analysis: OpenSea Phishing Attack

1) Sharing a technical run-down of the phishing attacks targeting @OpenSea users, including some web3 technical education.
2) After reviewing the malicious orders, the following data points stand out:
- All of the malicious orders contain valid signatures from the affected users, indicating that they did sign an order somewhere, at some point in time. However, none of these orders were broadcasted to OpenSea at the time of signing.
- None of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow.
- 32 users had NFTs stolen over a relatively short time period. This is extremely unfortunate, but suggests a targeted attack as opposed to a systemic issue.
3) This information, coupled with our discussions with impacted users and investigation by security experts, suggests a phishing operation that was executed ahead of the deprecation of the 2.2 contract given the impending invalidation of these collected malicious orders.
4) Prior to the current phishing scam, part of why we elected to implement EIP-712 on the new contract is that EIP-712’s typed data feature makes it much more difficult for bad actors to trick someone into signing an order without realizing it.
5) For example, if you are signing a message to join a whitelist, a raffle, or a token-gated discord group and you're presented with a typed data payload referencing Wyvern (the protocol used by OpenSea), it's much more likely to alert you to something unusual going on.
6) Education on not sharing seed phrases or submitting unknown transactions has become more widespread in our space. However, signing off-chain messages requires equal consideration.
7) We as a community must move to standardizing off-chain signatures using EIP-712 typed data or other agreed-upon standards like EIP-4361 (the "Sign in with Ethereum" method).
8) On this point, you'll notice that all new orders signed on OpenSea (including migrated orders) use the new EIP-712 format — a change of any kind is understandably scary, but this change actually makes signing much safer as you can better see what you're signing.
9) Big shoutout to @nesotual, @dguido, @quantstamp, and many others for providing detailed information on the nature of the attack to the community.
10) Additionally, even though it appears the attack was made from outside OpenSea, we are actively helping affected users and discussing ways to provide them additional assistance.