Posted on October 14, 2021 at 11:46 AM
OpenSea, the largest non-fungible token (NFT) marketplace, suffered a vulnerability that threat actors could have exploited to steal from user wallets. According to researchers, the threat actors could drain these funds using a specially crafted token that launched a new attack vector that could be exploited.
The vulnerability has already been patched, but it has already caused damage to users of the platform. An investigation into the platform was done by Check Point Research, a cybersecurity firm, after several reports on Twitter by users whose cryptocurrency wallets were stolen using free NFT airdrops on the marketplace.
Vulnerability on OpenSea
Non-fungible tokens are rare and unique digital assets. NFTs come in many forms, with the most common being photos, videos, audio, art pieces and other forms of art stored in digital platforms. Unlike physical assets, NFTs are sold and purchased in the blockchain. The technology behind NFTs ensures that the authenticity of these items can be guaranteed.
The demand for NFTs has been high this year, and OpenSea is the largest player in the sector. In August, the platform recorded transaction volumes of $3.4 billion. Because NFTs are just new in the crypto sector and are not regulated, they are highly prone to attacks by hackers who want to steal from users.
In the case of the recent vulnerability in OpenSea, the threat actors used a mode of operation that relied upon sending a malicious NFT to users. The NFTs were disguised as a free airdrop reward to lure users into clicking on the provided link. Those who clicked on the link exposed their crypto wallets to rogue players who compromised them.
The malicious link created an unwanted transaction that was made possible using a third-party wallet provider. It provided a wallet signature that linked the user wallets and later performed different actions on their targets.
“Users should be hyper-aware of what they sign on OpenSea, as well as other NFT platforms, and whether it correlated with expected actions,” the Check Point researchers stated.
OpenSea Patches Vulnerability
As soon as Check Point Researchers confirmed the vulnerability, it alerted OpenSea, which responded with a patch. The NFT marketplace stated that it had not detected any instances where wild actors exploited the vulnerability. However, it further noted that it had liaised with third-party wallet providers to help users differentiate between genuine and malicious signature requests.
Besides, OpenSea also gave several recommendations that will enable users to avoid being scammed on these platforms. Moreover, these recommendations would also ensure users stay away from phishing strategies used by these hackers.
The Head of Products Vulnerabilities Research at Check Point, Oded Vanunu, spoke of this development stating, “Blockchain innovation is fast-underway, and NFTs are here to stay. Given the sheer pace of innovation, there is an inherent challenge in securely integrating software applications and crypto markets. Bad actors know they have an open window right now to take advantage of, with consumer adoption spiking, while security measures in this space still need to catch up.”
Check Point also gave several recommendations to ensure users do not fall victim to similar attacks in the future. The firm urged users to be vigilant when operating their accounts on OpenSea and other NFT marketplaces. This will help to establish whether the actions they experience on these platforms are similar to what should be normally expected.
In this recent case, the victims were requested to sign in to the NFTs using their wallets after clicking on the malicious image sent by the hacker. However, this is not the expected action from OpenSea, as it is not the same process that the marketplace uses to purchase items and make offers to users on the platform.
However, in this case, the users were lured to clicking on these links because the transaction operation domain was generated from OpenSea. Once the hacker gains access to the wallet, they will retrieve the wallet address and access the wallet balance.
Users are also advised that OpenSea does not request wallet approval to view items, and neither does it promote the use of third party links. Requests to gain wallet approval or clicking on third party links are highly suspicious.
Check Point has also urged users to be careful after receiving requests to sign their wallets online. Before completing such an action, one should analyze whether it is suspicious or genuine. In case of doubt, it is best practice to cancel the request and do further research.
The high transaction volumes on OpenSea make the platform a high target for threat actors who want to access user wallets. Hence, users of the platform need to adhere to these recommendations provided by Check Point.