On February 19, attackers used a seemingly "unskilled" email phishing attack to successfully steal 254 NFTs, including the valuable Decentraland and Bored Ape Yacht Club series, from an OpenSea user Collection. The user received a fake email and was asked to approve the smart contract, and after the user approved the contract, the hacker successfully withdrew the NFT from the phished user's wallet.
user
Phishing emails sent to users
Phishing is by far the most common way people lose money in Web2 and Web3, although in Web3, the problem is more serious due to the additional risk points of smart contracts.
There are three main security lessons we must learn from OpenSea phishing attacks in order to be vigilant against future attacks.
1. Stealing cryptocurrency via smart contracts is (very) easy
user
The classic Approval contract used by most DeFi protocols
"Approval" is a function of almost all smart contract-based tokens, when a user "Approval" another wallet, it means allowing that wallet to later transfer tokens from the user's own wallet. For example, if I "Approval" my "0x123" wallet's USDC and Boring Ape NFT, then "0x123" can transfer these tokens out.
Most DeFi protocols, including OpenSea, use “Approval” as the primary method of transferring assets to the protocol.
"Ice phishing" is a term coined by Microsoft to refer to an act of tricking a user into approving a hacker's address. With the click of a button in the MetaMask window, the user can grant the hacker full access to the funds, which is exactly what happened during this OpenSea phishing.
Disclaimer : The above empty space does not represent the position of this platform. If the content of the article is not logical or has irregularities, please submit feedback and we will delete or correct it, thank you!
COPYRIGHT © 2021-2023 HZD.COM & WWW.HZD.AI ALL RIGHTS RESERVED
