How NFTs are traded on OpenSea and how hackers can transfer your NFTs
NFT’s contract (ERC721) and how NFT implements transactions on OpenSea
0x01 NFT and ERC721
For NFT, it is actually a specification defined by the Ethereum Association, that is, ERC721. Its function is the same as the ERC20 specification of Fungible Token. Through this specification, the interface is unified, so that various types of tokens or NFTs can be derived. DAPP ecology, such as various Swap, lending, and other DAPPs.
The ERC721 specification of NFT is derived from ERC20. There are many similar methods. The following specification methods are as follows:
balanceOf(owner) — — Query the quantity owned by an owner in the NFT
ownerOf(tokenId) — — Query to which person a certain number in NFT belongs, such as querying which owner of a certain number of ape belongs to
name() — — Returns the name of the NFT
symbol() — — Returns the symbol of the NFT
totalSupply() — — Total NFT issuance
tokenURI(tokenId) — — Returns the URI of a certain NFT, this URI is all the description information of this NFT
tokenByIndex(index) — — Return the number of NFT by index number
approve(to, tokenId) — — Allow to this address can transfer the NFT of his tokenId number （your NFT security）
getApproved(tokenId) — — Query to whom the NFT with the tokenId number is authorized (inquire who can transfer your NFT!)
setApprovalForAll(operator, approved) — — Authorize or deauthorize the address of the operator to transfer all NFTs under your collection
isApprovedForAll(owner, operator) — — Query whether an address can transfer all NFTs of your collection
transferFrom(from, to, tokenId) — — Transfer the NFT with the tokenID number of the from address to the to address (authorization is required)
All key information of NFT is stored in the link tokenURI. The data in this link includes the number, attributes, pictures or videos of your NFT, so it is very important whether the off-chain data of tokenURI can be accessed normally and whether it will be tampered with. . The IPFS protocol can guarantee that it will not be tampered with. However, if it is the HTTP protocol, it may be tampered with. Although the HTTP protocol can be used to verify the data by checksum, this is not elegant, and it is not the protocol specification of ERC721.
In fact, OpenSea supports the information display of all ERC721 NFTs, which is to capture data on the chain through the above method, and establish all resource information in OpenSea’s own system, and finally display it to everyone in the form of Web, which is convenient for everyone for browsing.
0x02 Some ways to be vigilant
There are two methods in the ERC721 specification that you need to be vigilant about. If you are not careful, you may lose your NFT.
- “approve(to, tokenId)”，This method is to authorize the “to” address to have the right to transfer your “tokenId” NFT. If you authorize the phishing website to call this method in MetaMask, you will lose at most one NFT.
- “setApprovalForAll(operator, approved)”，This method is to authorize the “operator” address to transfer all your NFTs under this Collection.If you authorize the phishing website to call this method in MetaMask, you may lose all NFTs under this Collection. (In OpenSea , if we “Sell” an NFT, the MetaMask will pop up the authorization of this method, see the screenshot below.)
When you authorize MetaMask, you must be aware of security. When you see the approve or setApprovalForAll methods, you must pay attention to whether it is a regular website and whether the contract address is the correct address. If you accidentally authorize the wrong one, your NFT may be transferred.
0x03 The logic behind the OpenSea buying and selling process and the underlying logic
The following picture is a screenshot of the pop-up window when you sell NFT:
When performing a sell operation on OpenSea, a pop-up window will pop up for you to initialize the wallet first (this is a one-time operation),After you pay the gas fee, OpenSea’s Registry contract will create a wallet contract for you (actually a Proxy contract).Why do you need to create this contract? The main purpose is safety.Because in the second step “Approve this item for sale”, you need to authorize a contract address to transfer your NFT（setApprovalForAll）
That is to say, OpenSea cannot transfer your NFT directly. Only the wallet address you first created on OpenSea can be transferred.
After creating the wallet and authorizing the NFT, if you go to sell the NFT under the same Collection, no additional handling fee is required. OpenSea can only verify your signature to place the sell order. Advertised “gas-free listing”.
Question：Why do subsequent pending sell orders only require signatures and no transaction? OpenSea’s sell order information is only stored on its own centralized server, not on the chain?
Answer: yes ,the sell order information is only stored on OpenSea’s centralized server, not on the chain. For details, please refer to the explanation of OpenSea here.
0x04 Behind the buying of NFTs
When you buy in OpenSea , the matching of buying and selling actually happens in OpenSea’s centralized system. After matching the order, let the user call the AtomicMatch method of the OpenSea trading contract address to complete the transaction. you transaction information will be stored on chain, this involves the transfer of Token and NFT.
You only need to know that behind the success of this buy transaction, these two steps will be completed:
0x05 How to cancel an order on OpenSea official website
To cancel a listing, click on Cancel listing at the top right of your item page. A confirmation screen will appear asking you to confirm the cancellation. Please note, canceling listings requires a gas fee to make the item unavailable to other users.
User A sells his NFT at a price of 10ETH, but the price has not been traded at that time. At this time, user A directly transfers the NFT to another wallet address (probably to a cold wallet for safety) without canceling the sell order.
After a few months, I found that the market price was good, so I transferred the NFT back to the previous wallet address and prepared to sell the order, but when the transfer was successful, I found that the NFT was sold at the previous sell order price (10ETH). The current market price may be 80ETH, causing serious losses.
The reason why it can be sold at a sell order price of 10ETH is because the previous sell order information was tempted by someone, so when it was transferred back to NFT, it was immediately purchased at a low price of 10ETH.
0x06 How hackers attack in Opensea
- The hacker first learned that OpenSea needs users to migrate their selling orders, and that OpenSea officially sent an email with the migration date and operation steps in advance.
- The hacker prepared a phishing website in advance, and notified the user to perform the migration operation through a fake email, guiding the victim user to perform a sell order migration operation on the phishing website. This migration operation is to allow users to sign the sell order they sell, but the price of the signed sell order is 0.
- The hacker gets the sell order information signed by the user, and can complete the transaction at a price of 0 by calling OpenSea’s transaction contract, and successfully obtain the victim’s NFT.
- Hackers can steal the NFT by phishing to get the sell order information (“sell”) and the signature (“sellSig”) of the user’s quotation of 0.
0x07 How Phishing Sites Transfer Your NFTs
On April Fool’s Day on April 1, the biggest news in the NFT circle was that BAYC#3738 held by the famous singer Jay Chou was stolen, and the NFT was worth 3.2 million at the current price. The way to be stolen is to induce users to mint by walking the phishing website. The Discord of BAYC was hacked, which led to the proliferation of phishing websites, except that the Discord of Doodles was also hacked on the day of BAYC.
In etherscan, you can see that Jay Chou performed a bunch of set approval for all operations in confusion, and then was transferred to another address by a safe transfer from operation.
Anyone can simulate a phishing website similar to BAYC. After the user’s wallet is logged in, there is a button on the page called free mint. In fact, after the user clicks this button, the set approval for all is executed. Transfer any of your NFTs.
Then define the function, call the setApprovalForAll interface in the BAYC contract, and pass in two parameters, your own address and true, which means that if Jay Chou clicks the button and agrees to execute, the address authorized to you can be Transfer his NFT away.
Then click the free mint button on the website, it can be seen that the little MetaMask pops up a transaction request, and the transaction method is set approval for all. At this time, if I click OK, it means that my NFT can be transferred by others.
0x08 security warning
The sender in all emails can be forged, and it is very convenient to forge, so you cannot judge whether it is an official email by the sender of the email. In addition, after clicking the link in the email, you must pay attention to:
- Whether the address displayed by the browser is the address of the website you want to visit (be careful not to have spelling mistakes)
- The link displayed by the browser is not an HTTPS link. If it is not an HTTPS link, an “insecure link” will be displayed in the browser address bar. Do not visit at this time.
- When authorizing transactions such as Approve and SetApprovalForAll on MetaMask, special care needs to be taken to see if there is a problem with the current website and the authorized object. Because once authorized, the address has the right to transfer your NFT.
- When you sign the sell order on OpenSea, pay attention to the content that pops up on MetaMask asking you to sign, and see if the price is the selling price you want.
How can I cancel or lower the price of NFT listings?
This article explains how to cancel or lower the price of listings for your items on sale. ⚠️ Transferring NFTs does…
On OpenSea, most actions are off-chain, meaning they generate orders that are stored in the our system and can be…