On October 13, 2021, Check Point Research published a write-up of their discovery of a vulnerability in the OpenSea digital collectible marketplace. This vulnerability allowed the attacker to use fake NFTs to steal money from users’ cryptocurrency wallets.
Inside the Vulnerability
The OpenSea vulnerability was exploited via the use of malicious non-fungible tokens (NFTs). The attacker would airdrop these tokens to targets for free, which caused them to show up in the target’s OpenSea account.
The presence of an NFT in the target’s account wasn’t enough to exploit the vulnerability. For the attack to execute, the user would need to actually view the image associated with the NFT such as opening it in a new tab.
Upon opening the NFT, a popup would appear from MetaMask or similar cryptocurrency wallet extensions asking if the user wanted to allow storage.opensea.io to connect to their wallet. If they approved this, a second popup would appear asking the user to approve a transaction that transferred all of the value in their wallet to the attacker’s account.
OpenSea has since fixed the vulnerability, but it underscores the importance of being cautious when working in the crypto space. Accepting unknown NFTs and approving transactions without knowing what they are doing can place a user’s cryptocurrency holdings at risk.