OpenSea Phishing Postmortem

OpenSea

OpenSea, the world's largest and most used NFT exchange suffered a major attack on 2/19/2022 which cost users over 640 ETH worth of NFTs. Additionally, Etherscan may have suffered a coordinated DDoS attack in wake of this exploit in an attempt to block users from revoking access to their NFTs.

In this write-up, I'll take a look at the smart contract (Decompiled) used in this attack, and break down the inner workings of what it's doing at each step. I aim to figure out how this attack happened, as well as how it can be prevented in the future.

Technical Breakdown

The transaction I am going to break down can be found on Etherscan. In order to get a better look at what's happening behind the scenes, I'll also use ethtx.info.

The transaction begins with the attacker interacting with his contract with some calldata, which appears to be a signature for a token sale. At this time, I believe that this signature was somehow phished and stored from the victims in this attack.
This fallback function builds a staticcall to WyvernExchange.atomicMatch_ , which essentially begins the transfer process from the victim, janclarin.eth, to the attacker, all for a cost of 0 ETH.

Since the attacker's contract is calling this function, providing the calldata for both calldataBuy, calldataSell, which came directly from msg.data, we can conclude that this was indeed a targeted phishing attack.

The events emitted by this transaction tell the same story: The attacker was able to call WyvernExchange.atomicMatch_ on behalf of the victims, transferring NFTs to himself for a grand total of 0 ETH.
After further investigation, it appears the calldata also included the address of WyvernExchange, so this malicious contract could be used on forks or future updates of WyvernExchange.

Future Prevention

Phishing attacks will be around forever as long as there are people who fall for it. In order to stop these attacks, people need to know more about how these attacks work, how to spot them, and how to report them.

Protecting Users Against Phishing

One approach to preventing phishing on your platform is an anti-phishing code. This code is set by the user, and can be used to verify that all emails are completely real and from your website. If an email doesn't contain that code, it's not a safe email. Nobody but you should know your anti-phishing code, which would be hashed and salted and stored in a database.

Spotting Phishing Scams

In order to spot phishing scams and keep yourself safe, heres a few tips you should follow when reading emails:

Always check that the sender comes from the real domain.
- If an address contains typos, or a domain that's not associated with the real entity, its fake.
  
  For example: security@opensea.ml , security@opensea.co aren't associated with the real domain, opensea.io.
Check if the email was sent securely.
- Nowadays, this is less important since most spoofed emails are automatically sent to spam. However, it's always good practice to check to see if an email was sent securely, because anyone with an IMAP server can spoof an email address.
  
  In order to check if an email was spoofed, just make sure it has a valid certificate attached.
Don't click links without checking them first.
- In all modern browsers, hovering over a link will give you the ability to check where you're being taken. If this domain isn't familiar to you, don't click the link. If something is urgent, go log-in to your account and check there.

Reporting Phishing Scams

You can use the following links to report phishing scams:

Resources & Citations

OpenSea article image https://www.ultcube88.com/
Solidity Decompiler https://ethervm.io/decompile/
Detailed transaction viewer [https://ethtx.info/mainnet/, https://etherscan.io]