Major nonfungible token (NFT) marketplace OpenSea announced a service upgrade on Saturday, which requested that users migrate their listed assets from the Ethereum (ETH) blockchain to a newly created smart contract.
However, in the hours that followed, 32 users of the platform became victims of a targeted email phishing attack which resulted in an anonymous entity stealing $1.7 million worth of ETH.
OpenSea CEO, Devin Finzer published a tweet thread explaining that the breach was orchestrated via fake email scams which assured users of their OpenSea identity, convinced them to sign a digital message with their wallet, and therefore unknowingly granted a transferable license to the asset from the hacker.
CTO Nadav Hollander also published a tweet account stating that “none of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow.”
Following on from this, Hollander called for greater security education in the Web3 space, specifically around the signing of off-chain messages.
Here’s a technical deep dive on recent events, from our CTO: https://t.co/2x2CBBCNtY
— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Three of the lost NFTs belonged to the popular NFT collection Azuki. The project, which had 10,000 avatars, is centered around cultivating an inclusive metaverse community made up of Web3 artists and advocates.
The projects acquired inspiration from the Azuki bean — also named an Adzuki bean — an Eastern Asian culinary staple, as well as a message of good omen in Japanese culture. References to taking the red bean and the upcoming BEAN token establish this intention. Azuki currently has a floor price of 11.79 ETH, equivalent to $32,155.
Related Mintable app to support minting NFTs on the layer two Immutable X protocol
In a philanthropic turn-of-events, NFT marketplace Mintable purchased three of the Azuki’s on rapidly emerging OpenSea competitor, LooksRare for 0.2 ETH below the floor price, and now intends to reunite them with their original owners.
Mintable founder and CEO, Zach Burks, openly criticized OpenSea’s lack of response to the exploit, stating: “Sadly it looks like even though they have over a billion in cash on hand, they can’t afford a 1.7m refund to their users.”
Burks revealed that Mintable is working alongside the Azuki team, and the product manager Demna, to find a proper solution for the holders, with the NFTs expected to be returned to their rightful owners within the coming days.
This weekend when buying azukis for our fire sale (selling below floor for free profit to users) we discovered some of the stolen @AzukiZen from the opensea hackb…
We decided to buy them and give them back to who they were stolen from. Here’s what happened
— Zach Burks (@ZachSpaded) February 23, 2022