1/ OpenSea's seaport is a versatile contract that can be used for transfers, swaps, bids, sales, and more.
But it has a dark side.
As @kevinrose found out the hard way, Seaport lets attackers steal ALL your NFTs.
An illustrated explainer and how to protect yourself 👇
But it has a dark side.
As @kevinrose found out the hard way, Seaport lets attackers steal ALL your NFTs.
An illustrated explainer and how to protect yourself 👇
2/ It starts when you set an "approval" to Seaport when listing an NFT for sale.
These approvals are harmless by themselves and are even necessary to sell on OpenSea. But it's like leaving your front door unlocked.
So how did attackers enter Kevin’s house and steal everything?
These approvals are harmless by themselves and are even necessary to sell on OpenSea. But it's like leaving your front door unlocked.
So how did attackers enter Kevin’s house and steal everything?
3/ Kevin landed on a phishing website that asked him to sign a gasless signature.
On the surface it looked like any other Seaport listing - one you'd use to list an NFT for sale.
So how'd it steal all of Kevin's NFTs? Well, that's the thing about Seaport listings...
On the surface it looked like any other Seaport listing - one you'd use to list an NFT for sale.
So how'd it steal all of Kevin's NFTs? Well, that's the thing about Seaport listings...
4/ They have two components - an offer and a consideration.
The offer describes what you're listing for sale.
The consideration describes what you want in exchange for the offer, usually some ETH or WETH.
Simple enough. But here's where things get interesting...
The offer describes what you're listing for sale.
The consideration describes what you want in exchange for the offer, usually some ETH or WETH.
Simple enough. But here's where things get interesting...
5/ Considerations can be sent to ANYONE!
This is used, for example, to send royalties to the creator and platform fees to OpenSea.
But wait, it gets even more interesting..
This is used, for example, to send royalties to the creator and platform fees to OpenSea.
But wait, it gets even more interesting..
6/ Considerations can be used to send ANY asset… including… the assets in the offer themselves.
If that sounds confusing, it’s because it is! Let’s explain it with a diagram.
If that sounds confusing, it’s because it is! Let’s explain it with a diagram.
7/ Okay, so back to Kevin.
At some point in the past, Kevin set approvals for his Autoglyphs, Squiggles, etc. to OpenSea.
Then, he landed on a phishing website and signed a Seaport signature that looked like this:
At some point in the past, Kevin set approvals for his Autoglyphs, Squiggles, etc. to OpenSea.
Then, he landed on a phishing website and signed a Seaport signature that looked like this:
8/ The attacker submitted this signature in a transaction to the Seaport contract.
Since Seaport already had approvals to Kevin’s NFTs, it was able to transfer them all to the recipient specified in the considerations.
Here’s the transaction: etherscan.io/tx/0x4ae899024…
Since Seaport already had approvals to Kevin’s NFTs, it was able to transfer them all to the recipient specified in the considerations.
Here’s the transaction: etherscan.io/tx/0x4ae899024…
9/ It sucks, but that’s the downside of Seaport.
But all hope is not lost - there are tools and best practices that you can use to avoid ending up in the same situation as Kevin.
But all hope is not lost - there are tools and best practices that you can use to avoid ending up in the same situation as Kevin.
10/ Here are three things you can do today to protect yourself:
1) Never sign messages or transactions from wallets that hold NFTs
2) Revoke open approvals using @RevokeCash
3) Install an extension that analyzes transactions proactively like @stelolabs or @PocketUniverseZ
1) Never sign messages or transactions from wallets that hold NFTs
2) Revoke open approvals using @RevokeCash
3) Install an extension that analyzes transactions proactively like @stelolabs or @PocketUniverseZ
11/ We reverse-engineered the signature that @kevinrose signed and passed it through Stelo.
If @kevinrose had Stelo this is what he would have seen:
If @kevinrose had Stelo this is what he would have seen:
12/ Here are some great people to follow to stay on top of web3 security best practices: @Wii_Mee @Feld4014 @0xQuit @zachxbt
And here's a link to download Stelo: stelolabs.com/download
Stay safe!
And here's a link to download Stelo: stelolabs.com/download
Stay safe!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
