Interested in learning what's next for the gaming industry? Join gaming executives to discuss emerging parts of the industry this October at GamesBeat Summit Next. Register today.
The security tech firm said its warning helped prevent thefts on OpenSea, which is the world’s largest marketplace for non-fungible tokens (NFTs, which use the transparency and security of the blockchain digital ledger to authenticate NFTs, or one-of-a-kind digital items). OpenSea recently raised $100 million at a $1.5 billion valuation because of the strength of its NFT sales.
After seeing reports of stolen crypto wallets triggered by free airdropped NFTs, Check Point Research investigated OpenSea, the world’s largest NFT marketplace. The investigation led to the discovery of critical security vulnerabilities on OpenSea’s platform that, if exploited, could have led hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs, Check Point said.
The company explained that it proved it was possible to steal crypto wallets of OpenSea’s users by leveraging critical security vulnerabilities found in OpenSea’s platform. They immediately disclosed the findings to OpenSea, which went on to deploy a fix after less than one hour of disclosure.
OpenSea acknowledged what happened in a statement that read, “Security is fundamental to OpenSea. We appreciate the CPR team bringing this vulnerability to our attention and collaborating with us as we investigated the matter and implemented a fix within an hour of it being brought to our attention. These attacks would have relied on users approving malicious activity through a third-party wallet provider by connecting their wallet and providing a signature for the malicious transaction.”
OpenSea said it was unable to identify any instances where this vulnerability was exploited, but it is coordinating directly with third-party wallets that integrate with the platform on how to help users better identify malicious signature requests, as well as other initiatives to help users thwart scams and phishing attacks with greater efficacy.
“We are also doubling down on community education around security best practices and have kicked off a blog series on how to stay safe on the decentralized web,” OpenSea said. “We encourage new users and seasoned veterans alike to give the series a read. Our goal is to empower the community to detect, mitigate and report attacks in the blockchain ecosystem, such as the one demonstrated by CPR.”
Left unpatched, the vulnerabilities could have allowed hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs. OpenSea is known as the world’s largest NFT marketplace, recording $3.4 billion in transaction volume in August 2021 alone.
CPR’s investigation of OpenSea was prompted by reports of free airdropped NFTs allegedly gifted to users. Curiosity led the company to correspond with a victim of a stolen crypto wallet, who confirmed interacting with an airdropped object prior to account theft.
In this hack, the malicious party would have created and gifted a malicious NFT to a target victim. The victim views the malicious NFT, triggering a pop-up from OpenSea’s storage domain, requesting a connection to the victim’s cryptocurrency wallet (such pop-ups are common in the platform on various other activities).
The victim then clicks to connect their wallet, in order to perform an action on the gifted NFT, thus enabling access to the victim’s wallet. The hacker could then obtain the money in the wallet by triggering an additional pop-up, which was also sent from OpenSea’s storage domain. The user may then click on the pop-up. If they do not notice the note in the pop-up describing the transaction, the end result could be the theft of a user’s entire cryptocurrency wallet.
Check Point notified OpenSea of the problem on September 26, and it received verification of the fix shortly thereafter. CPR recommends being careful when receiving requests to sign your wallet online. Before you approve a request, you should carefully review what is being requested, and consider whether the request is abnormal or suspicious. If you have any doubts, you should reject the request and examine further, before providing authorization.
“Our interest in OpenSea sparked when we saw chatter of stolen crypto wallets online. We speculated that an attack method existed in the wild around OpenSea, so we initiated a thorough investigation of OpenSea’s platform,” said Oded Vanunu, head of products vulnerabilities research at Check Point Software, in a statement. “The result was the discovery of a way to steal crypto wallets of users, simply by sending a malicious NFT through OpenSea. We immediately and responsibly disclosed our findings to OpenSea, who quickly worked with us to deploy a fix. I believe that our research findings, and the quick action by OpenSea, will prevent thefts of crypto wallets of users [in the future].”
Vanunu said that blockchain innovation is fast-underway and NFTs are here to stay.
“Given the sheer pace of innovation, there is an inherent challenge in securely integrating software applications and crypto markets. Bad actors know they have an open window right now to take advantage of, with consumer adoption spiking, while security measures in this space still need to catch up,” Vanunu said. “The cybersecurity community must step up to help pioneering blockchain technologies secure crypto assets of consumers. We sternly warn the OpenSea community to watch out for suspicious activity that may lead to theft, as we believe bad actors will continue to expand their efforts, in order to hijack crypto wallets while exploiting system vulnerabilities.”
GamesBeat's creed when covering the game industry is "where passion meets business." What does this mean? We want to tell you how the news matters to you -- not just as a decision-maker at a game studio, but also as a fan of games. Whether you read our articles, listen to our podcasts, or watch our videos, GamesBeat will help you learn about the industry and enjoy engaging with it. Discover our Briefings.