There's a saying among crypto enthusiasts that "code is law." It's a good shorthand for the whole project, which aims to replace institutions with a decentralized, peer-to-peer network. So instead of trusting a bank or a stock exchange, they argue, you trust the code.
This is really the main selling point of crypto: cutting out the middleman in favor of smart contracts on the blockchain, and the blockchain is really just a code for coordinating transactions. It's trustless, immutable, and perfect, at least according to its champions.
But the blockchain isn't perfect, let alone immune to manipulation, and the crypto community experienced this first hand this week as a major cybercrime rocked the NFT world.
NFTs (or non-fungible tokens) are one-of-kind digital assets often attached to images or works of art. In the past few years, a multi-billion online marketplace has emerged to facilitate buying and selling them, with celebrities and crypto-nerds alike diving into the space.
An illustration picture taken in London on December 30, 2021, shows an NFT (Non-Fungible Token) created by Nigerian digital artist FreddieJacobArt named "Oghenerukevwe" on Opensea NFT marketplace, displayed on a phone and Binance NFT marketplace displayed on a computer screen. Non-fungible tokens or NFTs are cryptographic assets stored on a blockchain with unique identification metadata that distinguish them from each other. (Photo by JUSTIN TALLIS/AFP via Getty Images)
Over the weekend, a still-unidentified attacker was able to steal 254 tokens from 17 traders who held their NFTs on the OpenSea marketplace, the biggest platform in the space. The highest-value tokens were then resold on OpenSea and other NFT marketplaces in a flurry of transactions that took place in the brief period before the thefts were discovered.
As news of the attack spread, investors started withdrawing their NFTs from OpenSea. Seven-day trading volume on the site is currently down more than 20 percent, according to crypto data tracker DappRadar, while the total value of assets on the site is down 98 percent.
The full impact of the thefts could take weeks to understand, but even firm believers in the value of NFTs are noting how the attack and cybercrimes in general expose the limits of the "code is law" ethos, as they call for greater protection in the largely unregulated marketplace.
"This would not be a problem if marketplaces invested much more in security operations," said Twitter user Alabaster Jefferson, who lost two NFTs in the attack and wished to remain anonymous out of fear of online harassment. "This rarely happens on stock exchanges, even though those operations do have long-term, good-to-close orders. It doesn't happen on eBay."
Cracks in the Code
While the details of the thefts are technical and still partly unknown, many experts agree that the scammer took advantage of weaknesses in OpenSea's smart contracts with NFT holders.
According to this narrative, the attack took advantage of a flaw in an older version of the open-source smart contract that OpenSea uses to transact with NFT holders. Essentially, the scammer used what technically were valid signatures (which are a sort of digital ID tag that NFT owners use to prove ownership) to execute a series of buy orders from OpenSea.
To put it in layman's terms, imagine a storage facility where people can enter and exit as they please, as long as they have the proper keys. The attacker in this case had the keys, and OpenSea, which was essentially holding the NFTs in escrow, let them walk right in.
Later versions of this smart contract, called the Wyvern Protocol, are supposed to make this impossible, but OpenSea was still in the process of updating its contracts. Indeed, the timing of the hack appears connected to the fact that OpenSea would complete the update this week.
Where things get complicated is how the attacker obtained the signatures in the first place, which again, according to the blockchain, were completely valid. OpenSea has stated multiple times that the attacker targeted individual NFT holders with phishing emails — a fairly old-school form of fraud involving tricking someone to reveal sensitive information via email.
This explanation is entirely plausible, according to several crypto experts, but some in the NFT community have pushed back against the idea that they were simply duped.
Alabaster Jefferson, who was one of the first victims to bring attention to the scam on Twitter Saturday night, said that he did not receive a phishing email, and that he thinks that explanation unfairly places the responsibility on NFT owners rather than on OpenSea.
"OpenSea has been doing a lot to make us look stupid," he said. "They're not even countering the rumor that we all clicked on a phishing email. I sent the only email that I received from OpenSea back to OpenSea's security team, and they validated that it was from them."
He noted that OpenSea has been more proactive on the back-end, reaching out to victims directly and working with them to figure out what happened. OpenSea denied requests for an interview, and instead directed me to a series of official Twitter threads.
Jefferson said the attacker likely got the signatures from a minting site, which is where NFT creators exchange cryptocurrencies such as ethereum for tokens. He added that he has spoken with the other victims and they've narrowed it down to three popular sites that all of them had used recently, but that he didn't want to share their names until he was more certain.
In that case, the attack would point to a broader security problem in the NFT space, beginning with the minting process and extending all the way to smart contracts used for sales.
"It's a problem because the NFT space right now has infinite trust that the blockchain is immutable and perfect, and what we're seeing again and again is that very smart people, because of how lucrative this is, are taking advantage of how poorly structured smart contracts can be," said Jefferson. "There's very little investment in the security of smart contracts."
Others in the decentralized finance space are more inclined to give OpenSea the benefit of the doubt. Twitter user charliemarketplace.eth, one of several blockchain sleuths who spent the last week pouring over the data to see what happened and who also wished to remain anonymous, told Cheddar that the company was just following the protocol.
"I don't think OpenSea is that much to blame because I think at the end of the day you have to make trust assumptions when you're building a multi-billion dollar marketplace, and one of the assumptions they clearly relied on was, 'valid transaction signatures are valid.' If the person signed it, they meant to sign it. That was one of their trust assumptions."
He added that the best way to prevent these kinds of attacks in the future is by creating better contracts, which is another way of framing the widely held belief in the defi space that code or the blockchain specifically is a sufficient replacement for more robust rules and regulations.
But for those looking for relief from a cyber attack, better code is already too late.
Code Is Lawless
However the attack happened, victims are now looking to be made whole again, and they argue OpenSea is in the best position to make that happen. Making matters more complicated, many of the stolen tokens were resold, which means innocent buyers are now holding stolen assets. In any other marketplace, they would be legally obligated to return them.
This is the conundrum facing Jefferson and other victims as they try to recover their tokens.
"I personally reached out to the people who bought my stolen NFTs, and they're willing to give them back to me if OpenSea will compensate them for what they paid the scammer, but OpenSea has been very tight-tipped about whether they're going to cover those costs," he said.
In the meantime, other NFT marketplaces have stepped up. Mintable, for instance, bought three stolen tokens from the LooksRare platform and returned them to their owners.
"This exploit was possible because of a bug on OpenSea, and if OpenSea isn't going to make it right, someone has to," said Zach Burks, CEO of Mintable, in a statement, "For some of these people, all their net worth is tied up in their NFTs and it's horrible to have them stolen."
Critics of the NFT market have pointed out that this kind of haphazard response to a major financial crime wouldn't fly in any other industry, and that in the long-run it undercuts the idea that NFTs and crypto in general could ever be adopted on a mass scale.
"The idea that we're going to have mass adoption of these platforms and the blockchain seems unlikely to me when the average person is unable to conduct the level of due diligence that [defi proponents] are expecting you to conduct," said Mike Burgersburg, who writes the Dirty Bubble Media substack, which takes a critical view of the crypto economy.
He noted that many of the victims in the OpenSea attack are highly sophisticated actors. (Jefferson, for example, is a product manager for a fintech company) For less savvy entrants, the risks are even greater, and the incentives for getting involved in the first place even lower.
"If you want to play these games and live in that world, then you can't expect the vast majority of people to want to use your platform," he said.
John Reed Stark, a legal consultant and former SEC prosecutor who is an outspoken crypto critic, said the OpenSea exploit and other financial crimes in the crypto space should put to bed the idea that crypto can exist without trusted middlemen or clear regulations. As cybercrimes become more common, he said there will be increasing pressure, not just from regulators, but from investors themselves to create systems of accountability and protection.
"What investor on this planet doesn't want regulation?" He said. "There's a reason why if you want to buy art or a timepiece — where authenticity is so important — Sotheby's and the other auction houses are so important, because they guarantee the authenticity."
In other words, "code is law" might become a tougher sell as more investors sink their money into crypto, and seek assurances they won't lose their shirt — at least not by theft. "Code can be manipulated by a coder," Stark said. "It's like having a statute book and being able to change it."