Non-fungible tokens, NFTs, are digital assets that link ownership to real-world objects or items (such as artwork, music, videos, etc.).
While they function in the same way as cryptocurrencies, they are not fiat money.NFTs are highly speculative and can often sell for millions of dollars. However, not every investor should desire them.
From popular memes to pixelated comics, the popularity of non-fakeable tokens has been soaring lately. Unfortunately, this move is not without its exploitative attacks.
A report from Check Point Research (CPR) reveals the hacking of user accounts in the OpenSea NFT marketplace. A number of errors in the protocol’s NFTs led to the theft of all users’ cryptocurrency wallets and the transfer of malicious NFTs.
The investigation will be launched after the report. It will cover free airdrops of malicious NFTs that act as an outlet for account hacking and cryptocurrency theft.
Hackers target NFTs for nefarious activities
The source of the problem is not just NFT and airdrops. However, by releasing the NFT to the victim, they will see it. Then there will be a follow up message asking for a signature connecting to the wallet.
In addition, a prompted secondary signature request will appear. If the user accepts, the hacker will gain access to the unsuspecting user’s wallet and funds.
In the case of OpenSea, the security bug entitles the protocol team to upload an SVG file containing a malicious payload. This upload would operate from Opensea’s storage subdomain.
Commenting on the situation, CPR said that after clicking on a third-party image, the user was asked to sign it using their wallet. It mentioned that such a requirement is a far cry from the regular practice of OpenSea. This is because it is quite different from the services offered by OpenSea, such as buying or collecting an item and offering deals.
Nevertheless, most users may be tempted to approve the connection. The reason for this is that the transaction operation domain comes from OpenSea, which may be available in other NFT operations.
On September 26, the CPR team revealed all of its findings to OpenSea. This ensured that the marketplace acted quickly within an hour to prioritize and validate the security flaws and propose a solution.
Finally, OpenSea issued a public statement expressing its gratitude to the CPR team for bringing the vulnerability to their attention. It also acknowledged the teams for joining their efforts within an hour during the investigation and implementation of a solution.
OpenSea mentioned that these attacks rely on user approval of malicious activity through third-party wallet providers. Therefore, it is possible for users to link their wallets and authorize malicious transactions.