Fairyproof’s Insights into the Exploitation on Opensea
Last week I wrote an article titled “Fairyproof’s Opinions on the New Trend on Web3 Applications” in which I said that “audit on front-end…
Last week I wrote an article titled “Fairyproof’s Opinions on the New Trend on Web3 Applications” in which I said that “audit on front-end will be a must-have step in a web3 project’s audit”.
Right after the article was posted, another exploitation on Opensea happened on December 9th. An Opensea user claimed that he/she lost a BAYC and a Doodles in this exploitation. Both BAYC and Doodles are famous NFT projects.
Specifically, a BAYC with tokenID 8167 and a Doodles with tokenID 2779 were tricked from his/her wallet and sent to address 0x3Baec890358F50f0d173101829b63C3033D790Be. The gas that was used to initiate this exploitation was obtained from fixedfloat.com.
It is very likely that the attacker exploited a vulnerability in Opensea’s front-end, and tricked the user to verify transactions to sell his/her items at extremely low prices.
So, this again was a front-end issue. But this was not the first time that a vulnerability was discovered in Opensea’s front-end.
In mid-November of this year, some users suddenly found that their NFT items “CryptoPhunks” were unexpectedly sold by Opensea.
CryptoPhunks was an NFT project put on sale on Opensea in June of this year, but it soon triggered huge arguments on copyright due to its controversial “differences” from the famous NFT project CryptoPunks. As the arguments escalated, Larva Labs, the team behind CryptoPunks, sent Opensea a DMCA message, and caused Opensea to remove all CryptoPhunks on sale from Opensea’s front page.
Although Opensea removed the CryptoPhunks from its front page, some of them were found still being sold later in November. Why did this happen? It was because of a vulnerability in Opensea’s front-end.
With this vulnerability, apparently, the CryptoPhunks were unseen on Opensea’s front page, but they were still “marked” as “on-sale” in Opensea’s application system. Therefore, hackers could bypass its front page, go into its application system and buy these CryptoPhunks.
This was another front-end vulnerability discovered and reported earlier this year.
Both of the two exploitations have nothing to do with smart contracts or its underlying blockchain (Ethereum) platform but are purely web 2 application vulnerabilities.
In general, a so-called DAPP consists of three parts: a web2 application, smart contracts, and an interface between the web2 application and the smart contracts. When users interact with a DAPP, most of them actually interact with the DAPP’s web2 application directly, the web2 application then passes the actions to the DAPP’s smart contracts via the DAPP’s interface. The smart contracts’ response is then passed to the web2 application via the DAPP’s interface and is presented on the web2 application’s user interface.
The aforementioned two vulnerabilities discovered in Opensea are in its web2 application. Vulnerabilities of this kind are generally called “front-end” vulnerabilities.
Most of DAPPs have their front-ends but these front-ends are not considered as important as their smart contracts in terms of the audit. Opensea is not the first case and will not be the last one.
Having front-end audited is a must-have step to improve a DAPP’s overall security.
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.