Theft has become a major issue in the space, especially with so-called “wallet drainer” exploits ripping millions of dollars’ worth of assets from unsuspecting collectors—and there’s no way to reverse those transactions on the blockchain.
When stolen assets are then resold to unsuspecting buyers, that only complicates matters further.
But Web3 builders are working to try and minimize the ability for crypto swindlers to steal and then profit from NFT sales, with top marketplace OpenSea aiming to lead that charge.
Today, the firm revealed a pair of new features designed to both protect users on its platform from inadvertently engaging with scams and prevent thieves from quickly flipping stolen assets.
One solution is aimed at preventing malicious links from appearing on OpenSea’s own platform, either through a project’s description or website icon. The tool automatically scans any links that users entered on the marketplace and disables any that point to known scams, or that redirect clickers to websites with malicious code that could swipe NFTs from someone’s wallet.
On one hand, the tool relies on an expanding blocklist tracking identified exploits. But it also goes one step further by simulating transactions through any wallet connectivity prompts on the linked website, potentially cluing OpenSea’s system into previously unidentified threats.
If a real user interacted with a smart contract—that is, automated code that powers NFTs and decentralized apps (dapps)—behind a purported NFT mint hosted at that external website, for example, what would happen if they sign a transaction? OpenSea is hunting for any contract functions or behaviors that might suggest an attempt to steal assets from users.
“That’s the kind of thing we’re looking for in that simulation,” Anne Fauvre-Willis, OpenSea’s VP of Operations, Marketplace, and Integrity, told Decrypt. “Is this asking for something that is unreasonable to ask for from a third-party site?”
If so, then OpenSea will disable the link and take action against users who shared such links—including banning accounts, removing their created NFT projects, and denying asset transfer requests.
Detecting theft on OpenSea
OpenSea’s other new theft prevention measure looks beyond the marketplace’s own bounds to try and minimize the fallout after an NFT is successfully stolen. It’s a tool that automatically examines NFT transfers to identify those that may have been swiped through exploits, and temporarily blocks those NFTs from being resold on OpenSea.
Previously, when an NFT was stolen, OpenSea largely relied on the owner to report it as such, at which point the marketplace would flag it as such and block resales. However, by that point, a high-value or “blue chip” NFT had often already been sold to an unwitting buyer, and then they were stuck with an asset that they couldn’t move via the platform.
This understandably caused problems with some collectors, particularly those who claimed that the system could be manipulated, or that OpenSea was slow to respond to requests. The marketplace made changes to try and improve that model, including requiring a police report to claim an NFT stolen—but the new, automatic system attempts to take action much faster.
Fauvre-Willis said that the real-time system—which is in testing and initially rolling out through a limited pilot program—relies both on “a number of industry data sources” and the types of steps taken as the item is transferred between wallets. Furthermore, it considers other actions taken by the wallet around the same time that might suggest malicious activity.
For any traders who worry about an NFT being flagged when they legitimately transfer a newly-purchased asset from one wallet to another, Fauvre-Willis said that OpenSea is thinking about that too. It hopes to keep the number of wrongly flagged assets as low as possible.
“We’re very focused on precision in this bucket rather than breadth,” she explained, saying that the automated system will be gradually trained over the next few months before expanding to all users. “We’re trying to be very careful here about balancing that, and making sure the false positive rate is very low when we do this,” she added.
Whenever an NFT is flagged as potentially stolen, it will be frozen on OpenSea, which means it can’t be resold there. OpenSea will also email the previous owner of the item to check whether it was stolen. The NFT will be unfrozen on OpenSea if the previous owner says it was legitimately transferred, or if seven days pass without a response.
Just because OpenSea flags an NFT on its platform doesn’t mean that the blockchain asset is frozen everywhere, however: the current holder could always sell it on another marketplace that doesn’t have such restrictions.
That said, Fauvre-Willis hopes to share OpenSea’s findings with other platforms in the future as the tech matures, potentially leading to similar anti-theft implementations elsewhere.
OpenSea took flak for its earlier stolen NFT policies, particularly as buyers who unwittingly purchased a swiped NFT had to deal with the hassle of having it frozen on the platform. An automated system could add some curveballs to the mix as it’s being tested, but OpenSea’s hope is that it will ultimately result in fewer such sales of stolen NFTs.
The $13.3 billion startup is making other notable attempts to stymie thieves and prevent sales of fraudulent NFTs. OpenSea is working with the makers of wallets like MetaMask and Coinbase Wallet to share information and best practices on combating scams, plus its copymint system has been upgraded to detect and purge copycat NFTs within seconds of minting.
Fauvre-Willis admitted that “things around trust and safety are never over,” and there’s sure to be constant need for evolution and new solutions as crypto scammers tap new and ever more sophisticated exploits. But these are all still steps towards a more secure and reliable Web3 user experience, she suggested.
“We do feel perhaps differently than other marketplaces. It’s important that we follow the law, and it’s important that we make this space safer overall,” said Fauvre-Willis. “In the long run, I frankly think we can’t expect the space to grow and expand adoption if we don’t make these investments.”