OpenSea Marketplace is undoubtedly one of the leading marketplaces for buying/selling of NFTs. The marketplace recorded $3.4 billion in transaction volume in a single month! (August 2021). In short, it is one of the largest marketplaces in the world for NFTs. However, that doesn’t mean it’s perfect. And with the explosion of the NFT industry, security flaws began to surface.
Recently, many complained about digital wallets of merchants disappearing, leaving collectors with thousands of dollars worth of NFTs lost. This attack started by opening a free gift received from a stranger about an OpenSea art.
Reports said that whenever a user opened such a link, they lost all their cryptocurrencies.
After multiple complaints regarding OpenSea, several security firms started looking up this potential exploit.
Moreover, they tried recreating it to find a fix. Recently, Check Point Research (CPR) did identify the critical security flaw in OpenSea and conversed it with OpenSea. Moreover, CPR also talked about the exploitation methodology:
- Hacker creates and gifts a malicious NFT to a target victim.
- Victim views the malicious NFT, triggering a pop-up from OpenSea’s storage domain, requesting connection to the victim’s cryptocurrency wallet (such pop-ups are common in the platform on various other activities)
- Victim clicks to connect their wallet, to act on the gifted NFT, thus enabling access to the victim’s wallet.
- Hackers can obtain the money in the wallet by triggering an additional pop-up which is also sent from OpenSea’s storage domain. The user may click on the pop-up, if they do not notice the note in the pop-up describing the transaction.
- The end result could be theft of a user’s entire cryptocurrency wallet.
Fortunately, OpenSea soon patched the exploit, further strengthening the system from future exploits as such. However, CPR has advised that users must be careful while receiving requests to sign their wallets online. Moreover, as a basic rule: users should carefully review what is being requested and consider whether the request is abnormal or suspicious.