For cryptocurrencies to attain broad adoption, breaches that may be readily avoided, such as the phishing assault that cost OpenSea $1.7 million, must be avoided.
In February 2022, OpenSea was the victim of a significant phishing attempt that resulted in the theft of approximately $1.7 million in nonfungible tokens (NFTs) from users. It wasn’t the only incident: according to reports, blockchain users lost $3.9 billion to fraudulent activities in 2022 alone.
As we approached 2023, there was a cacophony of pledges to improve crypto security. But, thus far, nothing has altered much. Companies that use blockchain are still not doing enough to avoid fraud.
Companies must adjust their thinking from the ground up if blockchain technology is to be widely adopted. These platforms may better serve their clients as the industry grows by concentrating on education and creating stronger mechanisms to detect harmful conduct.
Victims of the OpenSea breach were reportedly asked to sign an incomplete contract at the platform’s request. While the fundamental infrastructure of OpenSea was not compromised, the bogus accounts were able to exploit the open-source Wyvern Protocol. Hackers were then able to use the owner’s signature to transfer ownership without having to pay for the NFTs.
Following reports that 80% of NFTs generated for free on the platform were plagiarised or spam, OpenSea has altered several of its former regulations. OpenSea also relies on developer trust, which is not a perfect method of risk assessment. These developers might use the API for harmful purposes, such as tricking people into signing contracts they haven’t read.
Smart contracts are an essential component of the blockchain engine and may be used in a variety of settings, from NFT exchanges to fully decentralised apps. Understanding how these contracts work is critical to keeping users safe. Instead of recreating the wheel, businesses may use established protocols to guarantee smart contracts are durable and secure from fraudulent activities. Companies may then use the blockchain’s flexibility to personalise their contracts, such as setting up multisignature wallets and performing frequent unit testing.
There is no indication of which collection is authentic if you check for the popular Mutant Hounds collection shown on OpenSea’s top collections. Lack of verification might result in the formation of counterfeit collections, which intentionally raise the price to make it look authentic and confuse users. Fake collections are frequently disseminated via airdrops and are designed to be discovered using an NFT platform’s search capabilities.
Spammy collections may also distribute NFTs to people who did not request them via airdrops. Users will be sent to a separate site, where the fraud happens, rather than the platform where they keep a collection, such as OpenSea.
This is a typical issue that platforms that monitor such behaviour may handle, either through a crowdsourced database that records fake accounts or an administrative tool that understands what to look for and is continuously informed of new schemes. To minimise misunderstanding, NFT platforms may require bids to be in the same currency as the listing. Many users have been duped into accepting an offer in a currency that is less valued than the one in which they offered the NFT for sale. Data from blockchain systems may be used to uncover outliers by highlighting unusual behaviour among a small number of holders.
Of course, it should be acknowledged that firms like OpenSea face the difficult task of policing bogus accounts that arise on their network. In many circumstances, it boils down to a requirement for more formal collection verification.
Onboarding should be an integral component of the blockchain experience for both experienced and inexperienced users. Establishing explicit user rules and indicating potential hazards, like smart contracts, should be regarded core best practises for assuring user safety. These guidelines should be evaluated on a regular basis, taking into consideration risk assessment, and changed as blockchain grows.
Among seasoned blockchain users, the initialism “DYOR” is commonly used. This statement, which is an acronym for “do your own research,” has become an unspoken guideline for anyone engaging with possible investment prospects. However, it might be difficult for newbies to know where to begin. There is a chorus of discordant information from industry influencers who are frequently promoting the next great thing and driving dangerous investments, resulting in people falling victim to frauds or losing cash. Guidelines and teaching materials should be easily accessible and tailored to each platform’s value system and dangers.
Companies should take the hard lessons learnt from big vulnerabilities like the ones on OpenSea and tweak their security procedures to guarantee that doesn’t happen again while the blockchain ecosystem goes through its growing pains. Learning the fundamentals of basic technology, from smart contracts to seed phrase protection, should be the beginning point. Learn how to establish and maintain best practises, such as spotting malicious activity and those causing havoc, from there. Perhaps all that was required to avoid some of the most recent large-scale hacks was for someone to detect that anything was amiss.