In the wake of a series of viral tweets from panicked NFT traders, leading marketplace OpenSea says it’s investigating “rumors of an exploit” connected to "Opensea related" smart contracts – a vulnerability that may have cost traders valuable tokens.
-
“We are actively investigating rumors of an exploit associated with OpenSea related smart contracts,” reads a statement Opensea posted to Twitter Saturday night in U.S. hours. “This appears to be a phishing attack originating outside of OpenSea's website. Do not click links outside of opensea.io.”
-
OpenSea had planned to revise its smart contract (the code governing its trading platform, essentially) by releasing a brand-new contract on Friday. The idea was that the upgraded contract would ensure old, inactive listings on the platform would eventually expire.
-
On Twitter, traders shared what they’d initially thought were official OpenSea emails about the migration process from contract A to contract B.
-
PeckShield, a blockchain security company that audits smart contracts, stated that the rumored exploit was “most likely phishing” – a malicious contract hidden in a disguised link. The company cited that same mass email about the migration process as one of the possible sources of the link.
-
The attacker’s address (which the blockchain explorer website Etherscan has already slapped with a “phish/hack” warning badge) holds about $1.7 million worth of ETH, as well as three tokens from the Bored Ape Yacht Club, two Cool Cats, one Doodle and one Azuki.