For a vulnerability to qualify for this asset, it needs to be in one of the core smart contracts powering OpenSea's marketplace and provide a means for an attacker to steal value from OpenSea users with zero interaction required on their behalf (i.e. phishing does not qualify).
- On Ethereum
- OpenSea: Wyvern Exchange V2: `0x7f268357a8c2552623316e2562d90e642bb538e5`
- OpenSea Proxy Registry: `0xa5409ec958C83C3f309868babACA7c86DCB077c1`
- The Wrapped Ether Contract: `0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2`
- On Polygon
- Contract address: `0xfede379e48c873c75f3cc0c81f7c784ad730a8f7`
- Fee wrapper address: `0xf715beb51ec8f63317d66f491e37e7bb048fcc2d`
- On Klaytyn
- Contract address: `0xc109f40f688eb75711f51dac0b759957fe7d8ec7`
- Fee Wrapper Address: `0x41cff281b578f4cf45515d6e4efd535e47e76efd`
- On Solana
- Metaplex Auction House: program address: `hausS13jsjafwWwGqZTUQRmWyvyxn9EQpqMwV1PBBmk`
- Metaplex Metadata Contract program address: `metaqbxxUerdq28cj1RbAWkYQm3ybzjb6a8bt518x1s`
**Exclusions**:
* Orders and transactions initiated and validated on opensea.io, these are covered by the opensea.io asset
* Phishing or any user interaction style of attacks
* Any attack that requires a user to interact with contract from an attacker controlled website
**Explicitly**: this covers vulnerabilities that are purely executed on chain against the in scope contracts.
See the current deployments [here](https://github.com/ProjectOpenSea/seaport#deployments). Currently the addresses are:
* SeaPort: [0x00000000006c3852cbEf3e08E8dF289169EdE581](https://etherscan.io/address/0x00000000006c3852cbEf3e08E8dF289169EdE581)
* ConduitController: [0x00000000F9490004C11Cef243f5400493c00Ad63](https://etherscan.io/address/0x00000000F9490004C11Cef243f5400493c00Ad63)
* OpenSea's Conduit: [0x1e0049783f008a0085193e00003d00cd54003c71](https://etherscan.io/address/0x1e0049783f008a0085193e00003d00cd54003c71)
**Fee Collector Smart Contract**
**Exclusions**:
* Phishing or any user interaction style of attacks
* Any attack that requires a user to interact with contract from an attacker controlled website
**Explicitly**: this covers vulnerabilities that are purely executed on chain against the in scope contracts.
**Exclusions**:
* Phishing or any user interaction style of attacks
* Any attack that requires a user to interact with contract from an attacker controlled website
**Explicitly**: this covers vulnerabilities that are purely executed on chain against the in scope contracts.
* Seadrop: [0x00005EA00Ac477B1030CE78506496e8C2dE24bf5](https://etherscan.io/address/0x00005EA00Ac477B1030CE78506496e8C2dE24bf5)
* Fee Collector:
[0x0000a26b00c1F0DF003000390027140000fAa719](https://etherscan.io/address/0x0000a26b00c1F0DF003000390027140000fAa719)
- On Polygon
- Contract address: [`0xfede379e48c873c75f3cc0c81f7c784ad730a8f7`](https://polygonscan.com/address/0xfede379e48c873c75f3cc0c81f7c784ad730a8f7)
- Fee wrapper address: [`0xf715beb51ec8f63317d66f491e37e7bb048fcc2d`](https://polygonscan.com/address/0xf715beb51ec8f63317d66f491e37e7bb048fcc2d)
- On Klaytn
- Contract address: [`0xc109f40f688eb75711f51dac0b759957fe7d8ec7`](https://scope.klaytn.com/account/0xc109f40f688eb75711f51dac0b759957fe7d8ec7)
- Fee Wrapper Address: [`0x41cff281b578f4cf45515d6e4efd535e47e76efd`](https://scope.klaytn.com/account/0x41cff281b578f4cf45515d6e4efd535e47e76efd)
**Exclusions**:
* Phishing or any user interaction style of attacks
* Any attack that requires a user to interact with contract from an attacker controlled website
**Explicitly**: this covers vulnerabilities that are purely executed on chain against the in scope contracts.
* Seadrop: [0x00005EA00Ac477B1030CE78506496e8C2dE24bf5](https://etherscan.io/address/0x00005EA00Ac477B1030CE78506496e8C2dE24bf5)
**Exclusions**:
* Orders and transactions initiated and validated on opensea.io are covered by the opensea.io asset
* Phishing or any user interaction style of attacks
* Any attack that requires a user to interact with contract from an attacker controlled website
* Seaport 1.2 ([0x00000000000006c7676171937C444f6BDe3D6282](https://etherscan.io/address/0x00000000000006c7676171937C444f6BDe3D6282)) and 1.3 ([0x0000000000000aD24e80fd803C6ac37206a45f15](https://etherscan.io/address/0x0000000000000aD24e80fd803C6ac37206a45f15)) are out of scope.
**Explicitly**: this covers vulnerabilities that are purely executed on chain against the in scope contracts.
See the current deployments [here](https://github.com/ProjectOpenSea/seaport#deployments). Currently the addresses are:
* Seaport:
* 1.1: [0x00000000006c3852cbEf3e08E8dF289169EdE581](https://etherscan.io/address/0x00000000006c3852cbEf3e08E8dF289169EdE581)
* 1.4: [0x00000000000001ad428e4906aE43D8F9852d0dD6](https://etherscan.io/address/0x00000000000001ad428e4906aE43D8F9852d0dD6)
* ConduitController: [0x00000000F9490004C11Cef243f5400493c00Ad63](https://etherscan.io/address/0x00000000F9490004C11Cef243f5400493c00Ad63)
* OpenSea's Conduit: [0x1e0049783f008a0085193e00003d00cd54003c71](https://etherscan.io/address/0x1e0049783f008a0085193e00003d00cd54003c71)
Official OpenSea Apple App Store app. The app can be found [here](https://apps.apple.com/us/app/opensea-nft-marketplace/id1582861796)
Exclusions:
* Attacks that assume a malicious wallet app
* Attacks that require a rooted device
* Apps found anywhere besides the Google Play Store
This asset is the official OpenSea Android app that is found on the [Google Play Store](https://play.google.com/store/apps/details?id=io.opensea): io.opensea
**Exclusions**:
* Attacks that assume a malicious wallet app
* Attacks that require a rooted device
* Apps found anywhere besides the Google Play Store
**Seadrop Smart Contract**
**Exclusions:**
- Phishing or any user interaction style of attacks
- Any attack that requires a user to interact with contract from an attacker controlled website
**Explicitly:** this covers vulnerabilities that are purely executed on chain against the in scope contracts.
Broken link reports are in scope only when they meet all of the following conditions.
* They must be on OpenSea curated content, including but not limited to OpenSea's blog and Learning Center.
* They must be able to be taken over.
* A proof of concept is required.
* Specifically out of scope:
* Employee personal blogs
* All user generated content, including but not limited to creator controlled links
* Username take over of tagged social media accounts
**Exclusions**:
* Orders and transactions initiated and validated on opensea.io are covered by the opensea.io asset
* Phishing or any user interaction style of attacks
* Any attack that requires a user to interact with contract from an attacker controlled website
* Seaport 1.2 ([0x00000000000006c7676171937C444f6BDe3D6282](https://etherscan.io/address/0x00000000000006c7676171937C444f6BDe3D6282)) and 1.3 ([0x0000000000000aD24e80fd803C6ac37206a45f15](https://etherscan.io/address/0x0000000000000aD24e80fd803C6ac37206a45f15)) are out of scope.
**Explicitly**: this covers vulnerabilities that are purely executed on chain against the in scope contracts.
See the current deployments [here](https://github.com/ProjectOpenSea/seaport#deployments). Currently the addresses are:
* Seaport:
* 1.1: [0x00000000006c3852cbEf3e08E8dF289169EdE581](https://etherscan.io/address/0x00000000006c3852cbEf3e08E8dF289169EdE581)
* 1.4: [0x00000000000001ad428e4906aE43D8F9852d0dD6](https://etherscan.io/address/0x00000000000001ad428e4906aE43D8F9852d0dD6)
* ConduitController: [0x00000000F9490004C11Cef243f5400493c00Ad63](https://etherscan.io/address/0x00000000F9490004C11Cef243f5400493c00Ad63)
* OpenSea's Conduit: [0x1e0049783f008a0085193e00003d00cd54003c71](https://etherscan.io/address/0x1e0049783f008a0085193e00003d00cd54003c71)