OpenSea may be the largest digital collectible marketplace in the world, but that doesn’t mean it isn’t vulnerable to hacks and scams. There have been claims recently that OpenSea users had their accounts hacked after receiving a free NFT. Thankfully, a cybersecurity company found a solution to the problem. Is OpenSea safe now?
Check Point Research investigated the claims about malicious NFTs and reported its findings to OpenSea. The two companies worked together to fix the situation, but it raises the question of whether OpenSea is safe. Just like any other NFT platform, OpenSea can be safe for those who are experienced in the NFT space and can detect suspicious activity.
However, if someone is just getting started with digital collectibles, they could be vulnerable. OpenSea has many security measures put in place to protect users conducting everyday activities, but with a platform so big, there will always be malicious parties looking to find a weakness in its defenses.
How did the flaw work?
In the flaw, the malicious party airdropped an NFT to the victim, and when the victim views the NFT, it triggers a popup to OpenSea’s storage domain (storage.opensea.io). The popup will ask the viewer to connect storage.opensea.io to their wallet, a prompt that is common when using the platform’s services.
If the viewer clicks "yes" on the popup, the hacker has access to their wallet. The hacker can then trigger an additional popup to OpenSea’s storage domain, asking the person to approve a transfer from their wallet to the malicious party’s. If the person clicks yes, their entire wallet can be drained.
If you don't read what the popups are asking you, your entire account could be drained without you even noticing. This is especially a concern because it’s common for users to receive popups from OpenSea, and if someone is new to the NFT space, they can easily be exploited. Fortunately, OpenSea fixed the flaw shortly after it was notified of it.
Check Point recommends taking precautions when signing requests for your crypto wallet with any platform. It also pointed out that OpenSea never requests wallet approval for viewing or clicking third-party links. Always check what's being sent, how much crypto is being used in the transaction, and that you’re conducting business with the correct party.
Check Point Research found the flaw after seeing reports of stolen crypto wallets
The cybersecurity company explained in a public statement that it checked for malicious NFTs scams after hearing about NFT holders getting their crypto wallets hacked. For many weeks, people have been making claims on social media that they have gotten their wallet balance drained after receiving a free gift on OpenSea.
There were parties who refuted the malicious NFT claims, stating that airdropped NFTs cannot cause your wallet to be drained. That can be somewhat true—being sent the NFT doesn’t empty your wallet, accepting the prompts does. Regardless, Check Point did reach out to an OpenSea user and confirmed that their wallet was compromised after interacting with an airdropped NFT.
OpenSea announces updates to its mobile platform
In an update to its platform, OpenSea now hides gifted NFTs from unverified collections, instead putting them in a hidden tab located on your profile page. The feature only works for NFTs on the Polygon and Klaytn blockchains, and will be implemented into Ethereum-based NFTs in the near future. The app also has a new safety feature that allows users to disable buying and selling NFTs they hold if they think their wallet has been hacked.