By now, you may have heard about the attack on OpenSea, the world’s largest NFT (non-fungible token) marketplace, that resulted in roughly $1.7 million worth of NFTs being stolen from users’ wallets. The apparent phishing scam took place on February 19th, and some OpenSea users fell prey to it.
OpenSea CEO Devin Finzer took to Twitter on the 19th to explain the details the company knew at that point, denying direct responsibility for the hack: “As far as we can tell, this is a phishing attack. We don’t believe it’s connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.”
OpenSea later revised the original estimate of 32 affected users to 17, and clarified that some of the NFTs had been returned to their rightful owners, though by some reports about $1 million in assets are still unrecovered.
This attack raises legitimate, valid questions about the security of web3 platforms that must be addressed if web3 is to survive & reach mass adoption.
In a TechCrunch article from January titled “Success of web3 hinges on remedying its security challenges,” author Wei Lien Dang lays bare the security tradeoffs between Web 2.0 and web3: “The blockchain does not require actors to be trusted as in Web 2.0, but making updates to address security problems is harder. Users get to maintain control over their identities, but no intermediaries exist to provide recourse in the event of attacks or key compromises (e.g., how Web 2.0 providers can revert stolen funds or reset passwords). Wallets can still leak sensitive information like an Ethereum address – it’s still software, which is never perfect.”
Dang goes on to say “in Web 2.0, a substantial part of the security model is about response. In web3, where transactions cannot be changed once executed, mechanisms must be built in to verify if transactions should happen in the first place. In other words, security has to be exceptionally good at prevention.”
The TL;DR: because of the decentralized structure of web3, with users amassing more control of their identities, it’s crucial for platforms to focus on attack prevention, rather than solely on response, which is the previous Web 2.0 mode of handling security.
Web3 is growing in scope and popularity, and is no longer just a nascent movement populating quiet corners of the internet. As web3 gains momentum, underlying vulnerabilities are coming to light as malicious actors find ways to exploit them, as with the OpenSea attack. Vulnerabilities can stem from issues with authentication, key management, and a plain lack of user knowledge from which attackers can capitalize. Because transactions on the blockchain are irreversible, falling prey to an attack often has no positive resolution for victims.
Whether or not these security issues are just web3 growing pains or develop into larger, systemic problems remains to be seen. Much of that trajectory depends upon how developers, enterprises, and thought leaders in this space address these problems. Ultimately, if users who are educated enough in the web3 space to be buying NFTs fall for a sophisticated phishing attack, then how can we expect a nontechnical populous to participate in a new, decentralized web that’s supposed to be for everyone?
We want users to control their identities – to own their credentials, to stop trusting platforms with sensitive information – but enterprises, organizations, and individuals must take seriously the technological challenges posed by a growing web3 movement in order to fully realize that ideal end goal.
Fortunately, a community built largely by individuals with a passion for a decentralized digital landscape is addressing those vulnerabilities head-on. One such core challenge is privacy-preserving accountability, which NuID’s Trustless Authentication protocol provides.