Major nonfungible token (NFT) marketplace OpenSea announced a service upgrade on Saturday requesting that users migrate their listed assets from the Ethereum (ETH) blockchain to a newly created smart contract.
However, in the hours that followed, 32 users of the platform became victims of a targeted email phishing attack that resulted in an anonymous entity stealing $1.7 million worth of Ether.
OpenSea CEO Devin Finzer published a tweet thread explaining that the breach was orchestrated via fake email scams assuring users of its OpenSea identity and convincing them to sign a digital message with their wallet, therefore granting a transferable license to the asset for the hacker.
OpenSea chief technical officer Nadav Hollander also published a tweet account stating that “none of the malicious orders were executed against the new (Wyvern 2.3) contract, indicating that they were signed before the migration and are unlikely to be related to OpenSea’s migration flow."
Following on from this, Hollander called for greater security education in the Web3 space, specifically around the signing of off-chain messages.
Here's a technical deep dive on recent events, from our CTO: https://t.co/2x2CBBCNtY— Devin Finzer (dfinzer.eth) (@dfinzer) February 20, 2022
Three of the lost NFTs belonged to the popular NFT collection Azuki. The project, which has 10,000 avatars, is centered around cultivating an inclusive Metaverse community made up of Web3 artists and advocates.
As can be assumed by its references to the red bean and upcoming BEAN token, the project is inspired by the Azuki bean — an East-Asian culinary staple associated with good tidings in Japanese culture. Azuki currently has a floor price of 11.79 Ether, equivalent to $32,155.
In a philanthropic turn of events, NFT marketplace Mintable purchased three of the Azuki on rapidly emerging OpenSea competitor LooksRare for 0.2 ETH below their floor price, and now intends to reunite them with their original owners.
Mintable founder and CEO Zach Burks openly criticized OpenSea’s lack of response to the exploit, stating: “Sadly, it looks like even though they have over a billion in cash on hand, they can't afford a 1.7 million refund to their users.”
Burks revealed that Mintable is working alongside the Azuki team as well as product manager Demna to find a proper solution for the holders, with the NFTs expected to be returned to their rightful owners within the coming days.
The team stated to Cointelegraph that they have "found one person who is verifying their wallet with us so we can send back the NFTs."
In conversation with Mintable founder and CEO, Zach Burks, he revealed whether returning the NFT’s to their rightful owners was born out of good intention to promote fairness and honesty in the Web3 space, or merely a self-branding opportunity.
Burks stated “I think it's something that has to be done.... OpenSea made over a billion dollars this year and they can't spend a bit of money to help their users?”, before continuing on to say that:
“Someone has to do it, someone has to say - we are the platform to protect our users and do everything we can to ensure success for everyone. There is no ill-intent here, I saw the Azuki's, found they were stolen and bought them to return them. I'm shocked OpenSea hasn't done this already."
This weekend when buying azukis for our fire sale (selling below floor for free profit to users) we discovered some of the stolen @AzukiZen from the opensea hackb...— Zach Burks (@ZachSpaded) February 23, 2022
We decided to buy them and give them back to who they were stolen from. Here's what happened
Following on from this, Burks also commented on the importance of marketplaces such as OpenSea and Mintable to uphold a level of self-accountability for the security-related activities on your platforms, especially in an industry lacking any kind of regulatory framework.
He argued that “Mintable, OpenSea, Rarible, LooksRare, are all responsible for ensuring that users are protected" and noted that "if the platform that is making money from the users cannot protect the users, then they simply won't have any users after a while."
"Not only should the platform be responsible for education, it should also be responsible for actions users take outside their platform - especially if it's due to an event they control, aka a big migration. Every major company protects its consumers, it should be no different in Web3."