In an attempt to receive the free digital art, the victim may lose their entire balance. The NFT market would have fixed the flaw that allowed the theft of crypto assets.
A non-fungible token (NFT) offered for free to an Opensea user can be the lure with which a malicious criminal stole all the assets deposited in the wallets of the victims.
An investigation by Israel-based security company Check Point Research discovered a vulnerability in Opensea, one of the largest platforms for trading collectible tokens.
Investigators at Check Point emulated an attack to discover why so many Opensea users reported the theft of their assets after receiving a gift NFT. So they created a situation that allowed them to see if this situation was possible.
The attack scenario was successful by gifting an NFT to a specific victim to extract the assets deposited in their portfolio. The moment the victim claimed their gift collectible token, they let a series of malicious pop-ups enter the system.
This group of pop-ups got designed to look like Opensea, asking users to connect their wallets to the platform.
Once the victim follows the pop-up window, the transfer of funds to an external wallet gets enabled. If the user is not paying attention or does not realize what is happening, they would sign the transfer to transfer their assets to the attacker.
The last step of the attack is to transfer the NFT to the victim. Then, this transfer will happen without problems, and the affected user will add the token to their collection without discovering what happened.
The security firm highlighted that they warned the company about the vulnerabilities discovered, including working with researchers to assure that the solution worked.
In any case, there are no further details of how Opensea addressed these failures. It is also not known what happened to the people who say they got attacked.
Opensea Might be a Dangerous Ecosystem
Bug or scam targeting the largest NFT market in the ecosystem is a common problem. In mid-September, the product director took advantage of his knowledge about the inner workings of the marketplace to get a personal benefit.
Nate Chastain carried out a series of operations for a considerable time that allowed him to earn 19 ether (ETH) fraudulently. He purchased NFT at a low price. Chastain knew that it would later appreciate by appearing on the front page of the site. At that time, he was selling them at a value several times higher.
Last month, an Opensea bug caused the vanishing of at least 42 collectible tokens valued at around 28 ethers (ETH). The flaw transferred at least 42 NFTs to the burn list affecting more than 21 different users on the platform.
Among these tokens that got deleted was the oldest decentralized domain name in the entire ecosystem, rilxxlir.eth, one of the first registered and available for auction in 2017.
By: Jenson Nuñez
