Tweet

isotile 🦇🔊

Feb 20 • 8 tweets • 3 min read

💾 TECHNICAL THREAD OF NFTs HACK 💾

First of all we need to understand the difference between CALL and DELEGATECALL EVM Opcodes

In a simple way; when you call a contract with delegatecall, it is as if you embed the called function inside the contract itself

🧵 1/8

Opensea uses Wyvern Protocol, which is the most optimal fees-wise peer-to-peer exchange protocol

But it has also a disadvantage: when you sign a malicious message, the counter-part can execute that signed message for you

🧵 2/8

In order to be able to execute arbitrary code in which two peers agree, the following possibilities must exist within the protocol:

CALL and DELEGATECALL

🧵 3/8

⚠️ Hackers only needed ONE signature from you to steal all your approved NFTs

This signature:
#⃣ "My approved Opensea Proxy contract is going to make a DELEGATECALL to the hacker contract function transferNFTs" in unreadable form

🧵 4/8

The hackers can execute that transaction whenever they want

And they have generalized the code so that they can calmly choose which NFTs they want to steal from you

🧵 5/8

After 28 days of storing signatures, the hackers decided to execute the hack

Their code travels into this diagram till they successfully stole your NFTs

🧵 6/8

@MetaMask

✅ Proposed solution:
A new signing message standard in which wallets inject the domain at the end of the signature

And older signatures that are not using the new standard appear in red ❌

@MetaMask @myetherwallet @TrustWallet @CoinbaseWallet

🧵 7/8

@opensea

📢 This thread is what we think has happened

Investigation is still ongoing and we should wait to official sources from @opensea

🧵 8/8

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @isotile

isotile 🦇🔊

@isotile

Feb 20

🏴‍☠️ OPENSEA NFT HACK EXPLAINED THREAD 🏴‍☠️

28 days ago the hacker uploads a new smart contract, he already knows well that his goal is to get as many signatures as possible

🧵 1/4

He starts sending emails with phising websites. They tell you to sign a message to login/migrate to the new Opensea smart contract

Instead you are signing a private sale (0 eth) of your NFTs to the hacker

🧵 2/4

Today he executes the smart contract function to steal the NFTs before their listings expire

He can do that because he has your signatures stored on his server

🧵 3/4

Read 5 tweets

isotile 🦇🔊

@isotile

Feb 17

@isotile

Did you know we are developing a Furniture Builder for @isotile ecosystem?

We are also finalizing our Sprite Rendering Engine so that complex furniture can be created by users

Best of all, it works on the browser, you don't have to download any executable

The Furniture Builder will follow the Virtual Reality standard, so they could be placed in any metaverse

For this we are improving the existing standards on the interoperability of objects in the metaverse (ERC-721 & stateful VR files)

Thus allowing furniture with different states (door open, door closed) (light on, light off)

Each layer & depth & frame of the furniture will be divided automatically by our Sprite Rendering Engine avoiding any manual work by the user