Illustration by Alex Castro / The Verge

On Saturday attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site's broad user base. A spreadsheet compiled by the blockchain security service was used to calculate the number of stolen token from Decentraland and Bored Ape Yacht Club.

The majority of the attacks took place between 5PM and 8PM. The value of the stolen token was estimated by Molly White, who runs the website Web3 is Going Great.

“They all have valid signatures”

The Wyvern Protocol is an open-source standard that underlies most NFT smart contracts. The first part of the attack was a partial contract with a general authorization and large portions left blank. The attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. The attackers filled in the rest of the check after the targets signed a blank check.

The user, who goes by Neso, said that they all have valid signatures from people who lost NFTs.

OpenSea has become one of the most valuable companies of the NFT boom because of its simple interface for users to list, browse, and bid on token without interacting directly with the blockchain. The company has struggled with security issues as attackers have used old contracts or poisoned token to steal users' valuable holdings.

OpenSea has denied that the attack was the result of the new contracts it was updating. The relatively small number of targets makes such a vulnerability unlikely, since any flaw in the broader platform would likely be exploited on a much larger scale.

The method attackers used to get targets to sign the half-empty contract remains unclear. The attacks had not come from OpenSea's website, its various listing systems, or any emails from the company, according to the CEO. The rapid pace of the attack suggests a common attack, but so far no link has been found.

We will keep you updated as we learn more about the attack.

Emma contributed to the reporting.