Data Security

OpenSea vulnerability allowed crypto stealing with malicious NFTs

Researchers investigated the issue in OpenSea after an increase in complaints about receiving and opening free airdropped NFTs to steal user funds.

The IT security researchers at Check Point identified critical security vulnerabilities in OpenSea ( – the highly popular and world’s largest NFT marketplace), which would allow remote attackers to drain the crypto wallets of unsuspecting users by stealing their funds.

NFT (non-fungible token) has become a profitable business allowing people to earn millions of dollars. At OpenSea alone there were transactions worth US$3.4 billion in August 2021. At the same time, NFT marketplaces have become a lucrative target for cybercriminals.

SEE: Official website of Banksy hacked for fake NFT scam

According to Check Point researchers, they investigated the issue in OpenSea after an increase in complaints about receiving and opening free airdropped NFTs to steal user funds. The vulnerabilities, if exploited, could have allowed attackers to hijack user account and steal cryptocurrency by crafting malicious NFTs.

However, a successful attack would require user interaction, for instance, viewing malicious NFTs would trigger a pop-up message from the official storage domain of OpenSea and request a connection to the user’s cryptocurrency wallet.

Accepting the connection request would grant attackers full access to the victim’s wallet. But, carrying out transactions would require another pop-up message from OpenSea’s storage domain. Eventually, the victim will lose their funds to the attackers.

Watch as Check Point researchers demonstrate the attack:

In their report, CPR explained that,

In our attack scenario, the user is asked to sign with their wallet after clicking an image received from a third party, which is unexpected behavior on OpenSea, since it does not correlate to services provided by the OpenSea platform, like buying an item, making an offer, or favoring an item.

However, since the transaction operation domain is from OpenSea itself, and since this is an action the victim usually gets in other NFT operations stated above, it may lead him to approve the connection.

The good news is that Chick Point informed OpenSea about the issue and it took the marketplace merely an hour to fix it.

“Security is fundamental to OpenSea. We appreciate the CPR team bringing this vulnerability to our attention and collaborating with us as we investigated the matter and implemented a fix within an hour of it being brought to our attention. 

These attacks would have relied on users approving malicious activity through a third-party wallet provider by connecting their wallet and providing a signature for the malicious transaction.”

If you are dealing with NFTs watch out for such attacks and don’t click on pop-ups without verifying their authenticity. You should review who is sending requests and what permissions are being requested. To keep your account, wallet, and funds secure, simply cancel the request you find suspicious.

To Top

Pin It on Pinterest

Share This