(Wenceslaus Hollar, courtesy of the Met Museum)
In the wake of a series of viral tweets from panicked NFT traders, leading marketplace OpenSea says it’s investigating “rumors of an exploit” connected to "Opensea related" smart contracts – a vulnerability that may have cost traders valuable tokens.
“We are actively investigating rumors of an exploit associated with OpenSea related smart contracts,” reads a statement Opensea posted to Twitter Saturday night in U.S. hours. “This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of opensea.io.”
OpenSea had planned to revise its smart contract (the code governing its trading platform, essentially) by releasing a brand-new contract on Friday. The idea was that the upgraded contract would ensure old, inactive listings on the platform would eventually expire.
On Twitter, traders shared what they’d initially thought were official OpenSea emails about the migration process from contract A to contract B.
PeckShield, a blockchain security company that audits smart contracts, stated that the rumored exploit was “most likely phishing” – a malicious contract hidden in a disguised link. The company cited that same mass email about the migration process as one of the possible sources of the link.
The attacker’s address (which the blockchain explorer website Etherscan has already slapped with a “phish/hack” warning badge) holds about $1.7 million worth of ETH, as well as three tokens from the Bored Ape Yacht Club, two Cool Cats, one Doodle and one Azuki.
