Listen to the disaster in real time: <a href="https://twitter.com/0xBiZzy/status/1495199867152523265" rel="nofollow">https://twitter.com/0xBiZzy/status/1495199867152523265</a><p>Etherscan and revoke.cash are down. This is the web3 utopia hype they have been screaming about yet the centralized services they use (Etherscan) are going down, NFTs being stolen via a vulnerability in OpenSea and there is no way to get them back. Ha.<p>What a magnificent disaster.
This appears to be a phishing attack:
<a href="https://twitter.com/cyphreth/status/1495206957589925892" rel="nofollow">https://twitter.com/cyphreth/status/1495206957589925892</a>
<a href="https://twitter.com/0xfoobar/status/1495208279210876930" rel="nofollow">https://twitter.com/0xfoobar/status/1495208279210876930</a><p>Example attacker transaction:
<a href="https://ethtx.info/mainnet/0x18c0b67adf306b7f0da948e238c1397b54b865af7dee6869e98f9db2b1f6dc6a/" rel="nofollow">https://ethtx.info/mainnet/0x18c0b67adf306b7f0da948e238c1397...</a><p>We see that this tx performs 3 layers of delegation, whereas normally the opensea WyvernExchange contract needs 2 (user's proxy delegates action to WyvernAtomicizer, which performs the transfer.) In this case there's another layer: user proxy delegates to attacker contract 0xa2c0946ad444dccf990394c5cbe019a858a945bd, which then calls the Atomicizer to do a malicious transfer.
While I'm no fan of cryptocurrency in general, it does seem like the space has plenty of people who understand security. The steady stream of high profile NFT hacks suggests none of them want to go near NFTs. If all the people NFTs are supposed to help won't touch them, and all the smart security people won't touch them, maybe there's a reason.
I think we should stop using normative terminology like "stealing" when talking about NFTs and stuff. Code is law and the code says it belongs to the hacker. Maybe "involuntary transfer" is a better phrase instead