- The “gasless sales” function of OpenSea served as a crucial weapon for NFT hackers.
- Victims are required to sign a harmless contract, similar to a login signature.
The largest NFT marketplace OpenSea users underwent risk due to a new hack involving a feature on the OpenSea through phishing websites. As nonfungible tokens (NFTs) increased in popularity, scammers who frequently attempt to take advantage of users within the NFT market have increased in activity.
OpenSea has a feature called “gasless sales,” which let users sell NFTs through contracts by signing unreadable messages. On December 23, Harpie, the first on-chain firewall to prevent hacks. Alerted NFT users through a tweet about the new attack involving gasless sales.
How the Phishing Website Attracted Users?
Users must approve a signature request with an unreadable message to make gasless sales on the OpenSea platform. Also, users can allow private auctions with unreadable signatures using this feature. However, to enter a phishing website, victims are required to sign a harmless contract that is similar to a “login signature.”
According to the announcement, this login signature is an offer to sell users’ NFT privately for 0 ETH to the hacker’s address. Once the NFT users signed it, the NFTs would be transferred to the hacker’s wallet address.
Harpie stated that the signatures are frequently presented as a step necessary to log in and access the website. Harpie claims that by taking advantage of OpenSea’s feature hackers were able to steal millions of digital assets. Later the expert found the difference between scammers’ requests and users.
However, Harpie also pointed out how a fraudster allegedly stole 14 Bored Ape NFTs using the gas-less signature feature on December 17. The hacker carried out extensive social engineering to lead the victim to a fake NFT website. And have the holder contract sign. After that, the victim’s wallet was stolen in multi-billions.
Source: https://thenewscrypto.com/opensea-private-auction-alarmed-by-nft-scammers/