Major non-fungible token (NFT) marketplace OpenSea has experienced an attack on Sunday, with 17 users of the platform having their NFTs stolen, though the source of the attack is still unknown, the marketplace said on Twitter on 21 February.
The NFT platform began investigating the issue in the early hours on Sunday, when it received reports of an exploit “associated with OpenSea related smart contracts”. The CEO of OpenSea, Devin Finzer, took to Twitter shortly after the initial report, noting that the incident was a form of a phishing attack, and that 32 users had been affected. Today the platform clarified that 32 users “interacted” with the attacker, and only 17 had their NFTs stolen. The platform tweeted:
The NFT marketplace further noted that the attacker no longer appears to be active, as there has been no activity on the malicious contract for over 15 hours. While the exact source of the attack is yet to be determined, OpenSea has claimed the attack originated “outside of OpenSea’s website”, and that all the transactions contained a “valid signatures from affected users”.
Some users have also speculated that the attack could be connected to OpenSea’s smart contract upgrade that started on Friday, and requires all users to move their listings on Ethereum to the new OpenSea smart contract. The CTO of the company, Nadav Hollander, explained that this scenario was highly unlikely, as the malicious orders were executed against the new contract, indicating they “were signed before the migration”.