Anyone can fall victim to a malicious NFT hack, so what else can OpenSea do to protect its users?
The non-fungible token (NFT) market has been booming since the summer of 2021, and as the price of NFT skyrocketed, so did the number of hacks targeting NFTs.
A recent high-profile hack stripped about 600 Ether (ETH) worth of NFTs from Arthur, the founder of DeFiance Capital, which were then sold on OpenSea.
The 2022 Crypto Crime Report released by Chainalysis highlights that the value sent from illegal addresses to NFT marketplaces increased significantly in 2021, reaching nearly $1.4 million. There has also been a significant increase in the amount of stolen funds sent to NFT trading platforms.
Total illicit value flowing into NFT platforms. Source: Chainalysis Cryptocrime Report 2022
With the alarming rapid growth in illicit assets flowing onto NFT platforms, the question naturally arises as to whether security measures and procedures are in place, and if so, whether these measures are effective in protecting owners.
Let’s take a look at OpenSea, the largest NFT platform, and its security measures.
OpenSea security measures fail to protect users
OpenSea applies two main security measures after an account is “hacked” – locking a compromised account and locking stolen NFTs. On closer examination, these two measures are very ineffective.
An account lockout can be done on the OpenSea website without a person’s consent, as shown here, while an NFT lockout requires a lengthy ticket creation process and waiting for a response from OpenSea support.
In a situation where the hacker has already compromised the wallet and is in the process of transferring NFT, account suspension will only be effective if it is done before the hacker transfers everything.
Similarly, the NFT lock only takes effect before the hacker sells the NFT to another buyer. To make matters worse, this security measure creates a series of indirect victims, ending in locked NFTs that cannot be sold or transferred. Because the response time for tickets posted in OpenSea is at least a day. By the time OpenSea blocks the NFTs, they will have already been sold to another buyer who is now a new victim of crime.
In the case of the 17 stolen Azuki Arthur0x, 15 were stolen within one minute and two were stolen three minutes later. The average time these stolen NFTs remained in the hacker’s wallet before being sold is 43 minutes. OpenSea’s security measures don’t react in any way or react quickly enough to notify the victim and stop the hacker; They also do not inform buyers long enough that they do not buy stolen NFTs and become indirect victims.
Stolen Azuki NFTs from Aurther0x. Source: etherscan.io
Blocking Stolen NFTs Creates Indirect Victims
An indirect victim is someone who is not the target of a hack but indirectly suffers the financial loss caused by blocking stolen NFTs. As seen in many recent NFT hacks, NFTs are always sold prior to the implementation of the OpenSea block. The consequence of blocking NFT too late is that it results in indirect losses and additional losses for more people.
To illustrate in more detail how someone can end up buying a stolen NFT and indirectly become a victim of a hack, here are three common cases:
Case 1: Alice bought an NFT but only later found out it was a stolen asset. The NFT is locked and Alice cannot sell or transfer it to OpenSea. She then proceeds to create a support ticket. In a few weeks, the OpenSea Trust & Safety team is proposing to refund platform fees of 2.5%; and possibly the email address of the victim who reported the theft, if you’re lucky. Then she will most likely have a long discussion with the victim about the possibility of unlocking, which will most likely end in nothing.
Alice is still able to sell NFTs on other marketplaces, but the sales volume of this particular collection is very low and there is no buyer to offer a fair price on platforms other than OpenSea.
OpenSea’s response to an indirect victim who bought a stolen NFT
Case 2: Alice made several bets by betting on NFTs from the collection. One of the proposals was made by N.