2021 was the year that the Metaverse became a thing. Mark Zuckerberg declared it ‘the next chapter for the internet’, Ariana Grande held a virtual concert in Fortnite and Snoop Dogg sold a plot next to his Metaverse Mansion for $450,000. Inevitably, as the hype and opportunity around the Metaverse have grown, so have the stories of the scams and theft of NFTs.
Insider Trading at OpenSea
OpenSea - a marketplace for minting and selling NFTs - is easily the largest company to have emerged from the Metaverse and NFT boom. Started in 2017 it has raced past Unicorn status, to a recent valuation of an eye-watering $13.3bn, but such rapid growth, within a rapidly emerging space and without clear operating guidelines, has unsurprisingly seen a corresponding rise in hacks and scams.
On September 15th 2021, OpenSea released a statement announcing that one of their employees had purchased NFTs they knew were to be displayed on the site’s homepage.
Without actually spelling it out, this amounted to ‘insider trading’, as that privileged access would enable them to make significant financial gain by quickly flipping the NFTs.
The following day OpenSea confirmed the resignation of their Head of Product, affirming their commitment to “a level playing field for buyers, sellers, creators, collectors, developers, and those who are new to the space.” Ironically it was the transparency of the blockchain that brought the issue to light in the first place, courtesy of a Twitter sleuth:
The moral of this story is that the internal regulation of NFT marketplaces is not keeping pace with the demand, as can be seen by another incident OpenSea was facing months later.
$1million in NFTs exploited through uncancelled listings
In January of this year, blockchain analysis firm Elliptic reported that an exploit at OpenSea, using uncancelled listings, has enabled five opportunists to buy NFTs well-below market price and then resell them for a total of over $1million.
OpenSea is a centralised marketplace, based in New York, that leverages blockchains like Ethereum to allow its users to mint and list NFTs. Those actions aren’t free, they are paid for in Gas, a measure of the computational effort required by the blockchain to process transactions, which includes cancelling the listing of an NFT at a given price.
Subscribe To The NGRAVE Blog
Get the latest insights on crypto, security, blockchain, and more.
Many users seem to have been oblivious to the fact that transferring an NFT from a wallet with an active listing didn’t automatically cancel it, but not everyone.
Sharp-eyed users essentially picked up NFTs from some of the most in-demand collections - Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz - for knockdown prices.
The exploit is believed to have been known at the end of 2021, but it took until February for OpenSea to update their policy around uncancelled listings, describing it as a growing pain of the NFT space and more about education than exploit.
As part of their new measures they reduced the default listing period to one month, built a dashboard so users can see active listings and enabled notifications for when an NFT is being transferred that has an active listing.
This doesn’t change the fact that cancelling a list will still incur a cost but at least makes users aware of the risks. The NFT space is clearly evolving on the fly, and issues like uncancelled listings are just a symptom of growing pains.
OpenSea phishing attack hits seventeen users
A turbulent period for OpenSea got even choppier in February of this year when Coindesk reported 17 accounts had reported NFTs disappearing from their wallets.
Peckshield, a crypto security firm, pointed the finger at malicious smart contracts that the users were phished into interacting with, essentially approving the transfer of their NFTs.
One Twitter user summed up the failure of individual opsec:
That might seem harsh, but this once again highlights the dangers of storing digital assets in hot wallets when a single click can be fatal. There is a certain amount of irony in the fact that OpenSea added an SOS button in August, to help users flag compromised accounts, with that tweet sent by member of staff who later resigned due to the insider trading allegation mentioned above.
Illuvium Token Hack
Illuvium, an open world role-playing game built on the Ethereum blockchain, took preemptive action in January draining liquidity of staking rewards having uncovered a potential exploit that would enable unlimited mining of tokens generated as staking rewards.
They initially reported that none of the sILV token rewards were lost, but later, in their official post-mortem, suggested the attacker got away with 335 ETH.
The funds were withdrawn from a pool on Uniswap which Illuvium had no official connection with. sILV was only intended to be used within the Illuvium Metaverse, but as an illustration that the Metaverse economy extends beyond the virtual boundaries of the game, Illuvium had to take some extraordinary steps through their DAO structure to protect holders of the token.
NIFTY Gateway hack highlights importance of account security
In March of 2021 multiple customers of Nifty Gateway, an NFT marketplace, reported NFTs being removed from their accounts.
Nifty reported no specific breach, but instead highlighted that accounts were accessed with valid credentials, and didn’t have two-factor authentication enabled, suggesting a targeted phishing exploit, or that credentials were used from a separate exploit.
Nifty Gateway sells decentralised assets - NFTs - but within a centralised service where account holders log-in with traditional credentials and can use credit/debit cards to purchase NFTs.
This incident once again illustrates the vulnerability of that kind of set-up, and the importance of always maximising account security, using 2FA as standard.
Frontend Developer Fleeces Jay Pegs Auto Mart
On September 17th 2021 Jay Pegs Auto Mart, a quirky NFT project based on the Ethereum network, was exploited for $3.1million right from under their noses.
The project was selling tokens redeemable for NFTs themed on the memeable old models of the Kia Sedona.
Jay Pegs Auto Mart accused a frontend developer of inserting his wallet address to receive 866 ETH, the proceeds of a token auction run on MISO, a side project of Sushi Swap.
There followed a series of bizarre exchanges that highlight the bubble within which much of the bleeding edge of NFTs and the Metaverse inhabits. It included expressions of admiration for the audacity and intelligence of the exploit, and - once they were convinced of the culprit’s identity - tempting him out into the open by delivering miso soup.
Though funds were swiftly returned, it suggests that for those on the inside of NFT and Metaverse space, scams are an occupational hazard. For those on the outside, losing assets paid for from hard-earned money, it might be harder to be so philosophical.
Painful 250 Eth NFT Discord Social Engineering laid out on Twitter
The Metaverse and NFTs are new concepts, but the attempts to scam their users are old, especially Social Engineering.
One Twitter user poured out their soul having fallen victim to a classic sting which he valued at 250 ETH, when duped on Discord by scammers impersonating support staff from the Bored Ape Yacht Club NFT collective.
@sohrobf’s problems started when he struggled to list his recent purchase, BAKC #648, on OpenSea. Turning to Discord for support he fell into a coordinated social engineering sting by users pretending to be the founders of BAYC.
With distraction and good humour, he was conned into Syncing his Mobile MetaMask wallet with the browser version, which exposes a QR code and gives full account access. Game over.
As one of his follow-up tweets points out, cold storage would have afforded more protection, but that was a little late in arriving. He could take a crumb of comfort from knowing he wasn’t alone, with another Twitter user reporting a carbon-copy incident.
Similar experiences of people falling victim to phishing can be found all over social media and Reddit, with several users complaining last December about the disappearance of parcels of land from their wallets.
This may all suggest that owning NFTs or exploring the Metaverse is akin to the Wild West. These are the early days of very new concepts, with codes of conduct yet to fully take shape but there is no reason why you shouldn’t explore the next decentralised frontier, so long as your eyes are open to the riks
Explore the Metaverse with your eyes open
We highlight the dangers of the Metaverse in a separate article, but here are some key tips to stay safe:
Never share your Seed - under any circumstances.
Limit your online exposure by storing assets in a Cold Wallet.
Make sure your general online security is tight and up to date.
Don’t click on unknown links or pop-ups, promotions and be aware of unexpected airdrops.
Constantly reviews approved MetaMask connections
Be very suspicious when someone offers to transfer an NFT
Be wary of offers to negotiate NFT sales outside of official marketplaces
Be very aware of those approaching you within the Metaverse of Discord Channels