TechFlow news — browser security plugin Pocket Universe reports a new vulnerability discovered in Opensea's old contract that could be exploited to steal users' NFTs, potentially draining wallets once a transaction is signed. This exploit can target any NFT listed on Opensea before May 2022 (prior to the Seaport upgrade).
Previously, Opensea used the Wyvern protocol to match orders. When users listed NFTs, they granted an proxy contract permission to withdraw their NFTs (the typical setApprovalForAll permission), meaning this proxy contract retains authority over NFTs listed before May 2022. The new exploit tricks users into signing a transaction that transfers ownership of their proxy contract to the attacker, thereby granting them the right to withdraw the user's NFTs.Source link




