Major nonfungible token (NFT) marketplace OpenSea announced a service upgrade on Saturday requesting that users migrate their listed assets from the Ethereum (ETH) blockchain to a newly created smart contract.
However, in the hours that followed, 32 users of the platform became victims of a targeted email phishing attack that resulted in an anonymous entity stealing $1.7 million worth of Ether.
OpenSea CEO Devin Finzer published a tweet thread explaining that the breach was orchestrated via fake email scams assuring users of its OpenSea identity and convincing them to sign a digital message with their wallet, therefore granting a transferable license to the asset for the hacker.
OpenSea chief technical officer Nadav Hollander also published a tweet account stating that “none of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow.”
Following on from this, Hollander called for greater security education in the Web3 space, specifically around the signing of off-chain messages.
Here’s a technical deep dive on recent events, from our CTO: https://t.co/2x2CBBCNtY
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Three of the lost NFTs belonged to the popular NFT collection Azuki. The project, which has 10,000 avatars, is centered around cultivating an inclusive Metaverse community made up of Web3 artists and advocates.
As can be assumed by its references to the red bean and upcoming BEAN token, the project is inspired by the Azuki bean — an East-Asian culinary staple associated with good tidings in Japanese culture. Azuki currently has a floor price of 11.79 Ether, equivalent to $32,155.
Related Mintable app to support minting NFTs on the layer two Immutable X protocol
In a philanthropic turn of events, NFT marketplace Mintable purchased three of the Azuki on rapidly emerging OpenSea competitor LooksRare for 0.2 ETH below their floor price, and now intends to reunite them with their original owners.
Mintable founder and CEO Zach Burks openly criticized OpenSea’s lack of response to the exploit, stating: “Sadly, it looks like even though they have over a billion in cash on hand, they can’t afford a 1.7 million refund to their users.”
Burks revealed that Mintable is working alongside the Azuki team as well as product manager Demna to find a proper solution for the holders, with the NFTs expected to be returned to their rightful owners within the coming days.
This weekend when buying azukis for our fire sale (selling below floor for free profit to users) we discovered some of the stolen @AzukiZen from the opensea hackb…
We decided to buy them and give them back to who they were stolen from. Here’s what happened
1/ https://t.co/cNhIvCMhso
— Zach Burks (@ZachSpaded) February 23, 2022