New exploit that allows to steal NFT from Opensea

in LeoFinance2 years ago

A new vulnerability has just been discovered that affects NFTs that were listed before May 2022, cybercriminals are exploiting a gap in an old OpenSea contract more specifically when the NFT platform used the Wyvern protocol.

hacksdenftenopenseaperjudicanapropietariosdegrandescolecciones.jpg

Image source https://mercadocrypto.com/news/hacks-de-nft-en-opensea-perjudican-a-propietarios-de-grande
Now, in May OpenSea updated its protocol to the Seaport version, but not all NFTs changed to the new protocol. In such a way that some protocols remained in the previous protocol, which makes them vulnerable to this new exploit.

Pocket Universe a phishing scam detection program says on twitter

When you listed in Opensea's previous version, you would give a proxy contract the right to withdraw your NFTs
This is the usual setApprovalForAll permission
So this proxy contract has permission to withdraw NFTs that you listed from before May 2022!

FgHb0GeVIAATAvm.jfif
Image source: Tweet Pocket Universe https://twitter.com/PocketUniverseZ/status/1585793475101933568?s=20&t=qo-GbFFoOQec4O6gu9YjSw

Following the thread of the tweet, Pocket Universe mentions:

This new exploit tricks you into signing a transaction that gives the attacker ownership of your proxy contract
which gives them permission to withdraw your NFTs!
🙋→👺
FgHb3x9VUAAwItD.jfif

Image source: Tweet Pocket Universe https://twitter.com/PocketUniverseZ/status/1585793481229754368?s=20&t=qo-GbFFoOQec4O6gu9YjSw

How to avoid this vulnerability?

Pocket Universe mentions a series of 3 steps to follow

Firstly, check your transaction and carefully read what it's doing
Anything suspicious like "upgrade to" is a red flag

Secondly, you can go to RevokeCashand revoke permissions to "Opensea (old)"
This will cost you some gas for each collection revoked, but it means that the proxy contract no longer has permission to withdraw those assets

FgHeScKUoAAOICG.jfif
Image source: Tweet Pocket Universe https://twitter.com/PocketUniverseZ/status/1585793496924839936?s=20&t=qo-GbFFoOQec4O6gu9YjSw

Finally Pocket Universe mentions that they can use their browser extension which detects this exploit, showing a pop-up window and a red warning

Images from the Pocket Universe twitter account

Posted Using LeoFinance Beta