Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Browser security plug-in Pocket Universe tweeted that a new vulnerability was discovered in Opensea’s old contracts that could be used to steal users’ NFTs, potentially emptying wallets once the transaction was signed. It can steal any NFT users listed on Opensea before May 2022 (i.e. before Seaport upgrades), mainly involving the Wyvern protocol, which grants proxy contracts the right to withdraw user NFTs, and this new exploit will Trick the user into signing a transaction, giving the attacker ownership of the user's proxy contract. Cosine, the founder of SlowMist, tweeted that it is necessary to be vigilant about the new use of this old problem, which is related to the old OpenSea protocol, but many users of the old protocol have not cancelled the relevant authorization, and this use is invalid for the new OpenSea protocol (Seaport). Attack method (per SlowMist): Contract Vulnerability. Reported loss: -.
- chain
- —
- protocol
- Opensea
- bug_class
- logic
- date_occurred
- 2022-10-28
- loss_usd
- —
- source_id
- sm:opensea::2022-10-28