Etherscan and revoke.cash are down. This is the web3 utopia hype they have been screaming about yet the centralized services they use (Etherscan) are going down, NFTs being stolen via a vulnerability in OpenSea and there is no way to get them back. Ha.
I’m listening to panicked people on the space suggest the use of different web apps to stop the exploit.
Can’t help but wonder… in the midst of the panic, are they even checking what these revoke websites contracts do? It’s too easy to social engineer something like this…
The decentralized aspect of blockchains is mostly smoke and mirrors. Moxy Marlinspike recently wrote a really good blog post about all the hidden central points of failure in the ecosystem but it doesn't look like anyone was paying any attention.
These are the wild west days of crypto finance. Fortunes will be made and lost. There’s hype, fads, bubbles, and spectacular blowouts. The crypto finance tech ecosystem will evolve, consolidate, then eventually be diluted and homogenized into standard investment frameworks, and tamed by onerous oversight and regulations. In the meantime, if you can’t resist the urge to place a bet then don’t bet more than you can afford to lose without regret.
And ultimately, every sort of trust system requires bootstrapping on points of centralization.
People are like 'well yeah obviously' but no, not obviously in everyway to everyone. And the statistics will not save you when someone finds the next oopsie that can steal your investment, and there will always be a next one. Neither will any institutions.
We see that this tx performs 3 layers of delegation, whereas normally the opensea WyvernExchange contract needs 2 (user's proxy delegates action to WyvernAtomicizer, which performs the transfer.) In this case there's another layer: user proxy delegates to attacker contract 0xa2c0946ad444dccf990394c5cbe019a858a945bd, which then calls the Atomicizer to do a malicious transfer.
Singapore has a wave of SMS banking scams 3 months ago
The regulator has already intervened to force changes in banks (no more links in messages, shared liability, protective measures, authenticated SMS) and Telcos (SMS ID registry)
So yes, in the financial world, in properly run countries, systemic issues are addressed by regulatory systems. Because losing an email is one things, losing your live savings is another.
While I'm no fan of cryptocurrency in general, it does seem like the space has plenty of people who understand security. The steady stream of high profile NFT hacks suggests none of them want to go near NFTs. If all the people NFTs are supposed to help won't touch them, and all the smart security people won't touch them, maybe there's a reason.
I think we should stop using normative terminology like "stealing" when talking about NFTs and stuff. Code is law and the code says it belongs to the hacker. Maybe "involuntary transfer" is a better phrase instead
I think I would agree in other cases but in this case it is likely it was a phishing attack in which OpenSea were impersonated to steal user signatures. I think if someone held a gun to a crypto owner's head and forced them to hand over their seed phrase then that should still be called theft. Entirely different scale but still an "involuntary transfer" within the code's "law".
Etherscan and revoke.cash are down. This is the web3 utopia hype they have been screaming about yet the centralized services they use (Etherscan) are going down, NFTs being stolen via a vulnerability in OpenSea and there is no way to get them back. Ha.
What a magnificent disaster.