Navigating Troubled Waters: OpenSea API Breach Alert

Updated: 24 September 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

The NFT trading space was recently shaken up when OpenSea, the second-biggest NFT marketplace by trading volume at 36.5% (as of May 2023), alerted some of its users about a security breach concerning third-party vendors. Blur, another marketplace, tops the chart with 56.8% and only made its debut around a year back.

OpenSea sent out emails to affected users, cautioning, “A security mishap occurred with one of our associated vendors, possibly exposing details related to your OpenSea API key.” To address this vulnerability, OpenSea was prompt in advising users to discontinue their current API keys and generate a new set. This needs to be done swiftly, as the existing keys are set to become inactive by October 2.

The company further stated that the newly minted API keys would retain the same permissions and rate limits as the ones on the verge of expiration. Despite the urgency of the situation, OpenSea clarified that the breach might not immediately hinder users’ platform interactions. Yet, they emphasized that unauthorized third-party access could influence individual user rate and usage limits. The magnitude of affected users and whether any data other than API keys was jeopardized remains undisclosed.

OpenSea plans to rotate API keys following a third-party security incident, according to an email sent to affected users. Story to follow. pic.twitter.com/a7ef0bXDd3

— Zack Abrams (@ZackDAbrams) September 23, 2023

Interestingly, this isn’t the first instance of a security lapse in the crypto domain. Another recent breach involved Nansen’s third-party vendor, where user information, including blockchain addresses, hashed passwords, and emails, was exposed. This breach affected 6.8% of Nansen’s users. Furthermore, without pinpointing specific entities, Nansen mentioned that many top-tier Fortune 500 firms employ this vendor.

History seems to be repeating itself, at least for OpenSea. Rewinding to June the previous year, OpenSea was amidst a slew of crypto-based organizations witnessing unauthorized email leaks, stemming from an oversight by an employee in collaboration with their email delivery ally, Customer.io. These email leaks are goldmines for adversaries, who often exploit them by pushing deceptive phishing schemes. Even earlier, in May 2022, OpenSea’s Discord platform fell victim to hackers who propagated a counterfeit NFT mint, masquerading as a collaborative effort with YouTube.

No Stranger to Controversy

OpenSea is no stranger to controversy. We recently reported that on July 20, 2023, OpenSea’s unveiled “Let’s make a deal” functionality, introducing a peer-to-peer NFT exchange mechanism. This development was designed to simplify the process of trading non-fungible tokens and promote interactions among collectors, also allowing users to trade and even add WETH as an added incentive.

The feature operates via Seaport, OpenSea’s proprietary protocol. However, there were conditions attached: only NFTs from verified collections on the same blockchain could be part of such trades. Once a trade is completed successfully, collectors only bear the cost of gas fees. Unlike traditional transactions, these trades exclude standard OpenSea fees or creator royalties.

Despite this advancement, OpenSea has faced criticism. With the NFT market recently facing downturns, several in the crypto community voiced their discontent on platforms like Twitter. Most critics believe OpenSea’s innovative step came too late, emphasizing the current need for value over novelty in the NFT realm.

Yuga Labs to Leave OpenSea

Further complications arose for OpenSea in August, when Yuga Labs, known for its acclaimed NFT series like the Bored Ape Yacht Club, said it was removing all its NFT offerings from OpenSea. This decision followed closely on the heels of OpenSea’s choice to halt creator royalty enforcement.

Royalties for non-fungible tokens represent a set percentage of an NFT’s resale price that goes back to the original creator or owner. This ensures that creators continue to earn from their artworks beyond the initial sale. November 2022 saw the introduction of the Operator Filter, a tool allowing creators to restrict NFT sales to platforms that adhere to creator royalties. This acted as a deterrent for certain platforms, Blur being a prime example, which had surged to the top in the NFT market.

However, on August 17, OpenSea announced plans to deactivate the Operator Filter. They reasoned that there wasn’t unanimous agreement across the ecosystem. They further stated that the feature could be easily bypassed, potentially leading to resistance from the creators themselves.

Daniel Alegre, CEO of Yuga Labs, clarified the company’s position by stating that Yuga Labs would gradually phase out its support for OpenSea’s SeaPort, applying this change to both upgradeable contracts and any new collections.