{"id":17970288,"url":"https://github.com/fulldecent/opensea-shared-storefront-backdoor","last_synced_at":"2025-06-20T10:10:27.073Z","repository":{"id":62838989,"uuid":"561915351","full_name":"fulldecent/opensea-shared-storefront-backdoor","owner":"fulldecent","description":"Demonstration of a backdoor in OpenSea Shared Storefront","archived":false,"fork":false,"pushed_at":"2023-04-06T21:44:22.000Z","size":57,"stargazers_count":30,"open_issues_count":0,"forks_count":2,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-05T17:01:41.000Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fulldecent.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-04T19:37:31.000Z","updated_at":"2023-06-21T21:19:31.000Z","dependencies_parsed_at":"2024-10-29T15:23:03.588Z","dependency_job_id":null,"html_url":"https://github.com/fulldecent/opensea-shared-storefront-backdoor","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fulldecent/opensea-shared-storefront-backdoor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fulldecent%2Fopensea-shared-storefront-backdoor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fulldecent%2Fopensea-shared-storefront-backdoor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fulldecent%2Fopensea-shared-storefront-backdoor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fulldecent%2Fopensea-shared-storefront-backdoor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fulldecent","download_url":"https://codeload.github.com/fulldecent/opensea-shared-storefront-backdoor/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fulldecent%2Fopensea-shared-storefront-backdoor/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260924535,"owners_count":23083524,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-29T15:02:46.764Z","updated_at":"2025-06-20T10:10:22.059Z","avatar_url":"https://github.com/fulldecent.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenSea Shared Storefront Backdoor Demo\n\nThis project demonstrates how OpenSea administrators can take any tokens minted on the OpenSea Shared Storefront. This is a previously-undocumented backdoor.\n\n## Background\n\nOpenSea Shared Storefront is an [ERC-1155](https://eips.ethereum.org/EIPS/eip-1155) contract deployed on Ethereum Mainnet at 0x495f947276749ce646f68ac8c248420045cb7b5e. The contract supports an OpenSea service where artists can sell NFTs without incurring gas fees. \n\nThere [are about 1 million transactions](https://etherscan.io/txs?a=0x495f947276749ce646f68ac8c248420045cb7b5e) against this contract.\n\nOpenSea administrators maintain control such that they can take, or freeze, NFTs created with this contract at any time. The contract's source code is not published and this control ability is not disclosed anywhere in OpenSea's terms of service or documentation.\n\nOpenSea's level of control should be considered \"signature authority\" over the relevant assets. For US FinCen purposes, and other government bodies in the markets where OpenSea operates, this makes OpenSea administrators capable of executing civil asset seizures/forfeitures.\n\nFor more information about the potential implications, see [the full blog post](https://blog.phor.net/2022/11/04/Does-OpenSea-Shared-Storefront-have-a-backdoor.html).\n\n## Demonstration\n\nThis project allows you to make a live copy of Ethereum Mainnet, execute some transactions as if you were OpenSea (even though you don't know their private key) and examine the outcomes.\n\n### Setup\n\n1. Install Yarn.\n   ```sh\n   yarn install\n   ```\n\n2. Get access to an Ethereum Mainnet JSON-RPC provider, I recommend Infura.\n\n   \u003e https://infura.io/\n\n3. Find some specific NFT for sale inside OpenSea Shared Storefront and get its ID. [The demonstration uses](./index.mjs) `103964089402971035322194754460519211901162239038652937872902470904772294606849`, change it if you like.\n\n4. Find the owner of that NFT. [The demonstration uses](./index.mjs)  `0x6acdfba02d390b97ac2b2d42a63e85293bcc160e`, change it if you like or if anybody else receives the NFT from Step 3.\n\n### Execute\n\nIn one terminal window, execute Hardhat per below. This will allow you to locally try transactions on behalf of OpenSea administrators even though you don't know their private keys.\n\n```sh\nnpx hardhat node --fork https://mainnet.infura.io/v3/xxxxYOURxKEYxxxx --fork-block-number 13558931\n```\n\nor to fork from the latest block:\n\n```sh\nnpx hardhat node --fork https://mainnet.infura.io/v3/xxxxYOURxKEYxxxx\n```\n\nIn a second terminal window, execute the demonstration transactions:\n\n```sh\nnode index.mjs\n```\n\nYou should see some information printed, the current and new owner for the token and logs for the transfer. This demonstrates that the token was transferred.\n\nExample output:\n\n```\nStorefront (ERC-1155): 0x495f947276749ce646f68ac8c248420045cb7b5e\nContract backdoor:     0x5b3256965e7C3cF26E11FCAf296DfC8807C01073\nToken ID:              103964089402971035322194754460519211901162239038652937872902470904772294606849\nToken owner:           0x6acdfba02d390b97ac2b2d42a63e85293bcc160e\nProxy registry stub:   0x37197C9B145CCB73bEa78Ac92a31A49369F8Ed84\nSender balance:        1\nRecipient balance:     0\nTransaction hash:      0xcdf29153f1a77f24488e46da812dbdfa44ac50d3025632ffac9900ba94486e3d\nTransaction logs:      [\n  {\n    transactionIndex: 0,\n    blockNumber: 13558937,\n    transactionHash: '0xcdf29153f1a77f24488e46da812dbdfa44ac50d3025632ffac9900ba94486e3d',\n    address: '0x495f947276749Ce646f68AC8c248420045cb7b5e',\n    topics: [\n      '0xc3d58168c5ae7397731d063d5bbf3d657854427343f4c083240f7aacaa2d0f62',\n      '0x0000000000000000000000005b3256965e7c3cf26e11fcaf296dfc8807c01073',\n      '0x0000000000000000000000006acdfba02d390b97ac2b2d42a63e85293bcc160e',\n      '0x000000000000000000000000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'\n    ],\n    data: '0xe5d996dea423cd8af960ea39aed17c23f1bc3f530000000000000500000000010000000000000000000000000000000000000000000000000000000000000001',\n    logIndex: 0,\n    blockHash: '0xf0f3f782a75a3c04a2e14d64d730e2c2789f283112c67f85521c2a000ba899a0'\n  }\n]\nSender balance:        0\nRecipient balance:     1\n```\n\nIf OpenSea administrators run this same transaction with their real private key on the Mainnet network then this token would be transferred for real. (What you are seeing is a local copy of this transaction which ignores the fact that it is invalid for want of the correct private key.)\n\nThe above is a brief simplification. OpenSea Shared Storefront administration privilege has recently changed from a single owner to a [Gnosis safe](https://gnosis.io/safe/). No difference, to execute this transaction OpenSea administrators need to use only a slightly different process.\n\n### Debugging\n\nFeel free to hack and try other things with this project. I learned about OpenSea Shared Storefront by decompiling it, printing in a word processor and using highlighters. Another helpful technique is to inspect transaction storage access and internal calls. To try that you can use a third terminal to run:\n\n```sh\nnpx hardhat trace --fulltrace --rpc http://127.0.0.1:8545/ --hash 0xxxxxYOURxTRANSACTIONxHASHxxxx \n```\n\n### So what about OFAC/SDN compliance?\n\nSee [the full blog post](https://blog.phor.net/2022/11/04/Does-OpenSea-Shared-Storefront-have-a-backdoor.html), which mentions this.\n\n## Acknowledgements\n\n- Contract decompilation (easier than reading straight bytecode) provided by https://ethervm.io/decompile.\n- Tracing each `SLOAD` and `STATICCALL` while playing with contracts provided by [@sohamzemse](https://twitter.com/sohamzemse) in [hardhat-tracer](https://github.com/zemse/hardhat-tracer), running on [@HardhatHQ](https://twitter.com/HardhatHQ) [Hardhat](https://hardhat.org/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffulldecent%2Fopensea-shared-storefront-backdoor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffulldecent%2Fopensea-shared-storefront-backdoor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffulldecent%2Fopensea-shared-storefront-backdoor/lists"}