VERDICT —OUT OF SCOPE
Root cause is phishing — victims signed malicious transactions or approvals off-protocol. Contract logic was not the failure surface; user-side wallet hygiene was. Pre-deployment audit cannot catch this class.
▰ METHOD
PHISHING
PHISHING
Root cause
Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Forensic narrative
According to OpenSea's official tweet, hackers sent phishing emails to all users' mailboxes at the same time as the OpenSea contract was upgraded. Many users mistakenly thought it was an official email and authorized the wallet, which resulted in the wallet being stolen. OpenSea co-founder and CEO Devin Finzer confirmed the phishing attack in a tweet. Attack method (per SlowMist): Phishing Attack. Reported loss: $ 3,400,000.
Primary source
https://twitter.com/dfinzer/status/1495302784689704966 ↗Sourced from
slowmist
Technical record
- chain
- —
- protocol
- OpenSea
- bug_class
- phishing
- date_occurred
- 2022-02-20
- loss_usd
- $3,400,000
- source_id
- sm:opensea::2022-02-20
Related — same bug class· phishing