New loopholes found in OpenSea’s old contracts

BlockBeats news, on October 28, the browser security plug-in Pocket Universe said that a new vulnerability was found in Opensea’s old contract, which could be used to steal users’ NFTs, and once the transaction was signed, the wallet could be emptied. It can steal any NFTs that users have listed on Opensea before May 2022 (i.e. before the Seaport upgrade). Opensea previously used the Wyvern protocol to match orders. When the user listed NFT, the proxy contract was granted the permission to withdraw the NFT (ie the usual setApprovalForAll permission), so this proxy contract has the right to withdraw the NFT listed by the user before May 2022. This new exploit tricks the user into signing a transaction, giving the attacker ownership of the user-agent contract and thus the right to withdraw the user’s NFT. Cosine, the founder of SlowMist, responded that it is necessary to be alert to the new use of this old problem, which is related to the old OpenSea protocol, but many users of the old protocol have not cancelled the relevant authorization.