FairyProof’s Analysis of the Latest Attack on Opensea
On Sep. 26, 2021, an Opensea user claimed on Twitter that after an NFT airdrop took place and he/she traded one of the NFT items on Opensea…
On Sep. 26, 2021, an Opensea user claimed on Twitter that after an NFT airdrop took place and he/she traded one of the NFT items on Opensea the other NFT items in his/her wallet were lost. Later on, vulnerabilities were detected in Opensea’s front-end. Maliciously, attackers exploited the vulnerabilities to mislead the user to approve the right to transfer his/her NFT tokens from his/her wallet.
This was a typical Phishing Attack. In this scenario, the user was not familiar with Opensea’s procedures and rules, and the attackers exploited the vulnerabilities in it and carried out the attack. Lessons are learned that users should learn an NFT application’s procedures and rules prior to using it and be cautious about the transactions they will approve when using it. Whenever abnormal messages, prompts, or instructions appear users should be alarmed and examine them carefully before proceeding.
Attack Analysis
The attackers injected an SVG file with malicious javascript code as a link to an NFT item. After the user received the NFT item and opened the link on Opensea, a transaction would be triggered to approve the transfer of the NFT items in his/her wallet. This transaction was shown as associated with “storage.opensea.io” thus misleading the user to believe this was a normal transaction and then proceed with it. After the transaction was done the attackers were able to transfer the NFT items from his/her wallet.
Process of the attack
· The attackers created a malicious link and sent it to the user;
· The user opened the link and a pop-up window showed up asking the user to connect his/her wallet;
· The user proceeded thus approving the right to transfer the NFT tokens from his/her wallet;
· The attackers transferred the NFT items from his/her wallet.
Follow-up
Opensea has fixed this issue. In addition, Opensea added a function in its mobile APP to pause NFT transfers in a wallet. Therefore, when a user finds his/her NFT items may be stolen he/she can pause transfers of NFT items from his/her wallet. Note: this additional function is not a fix to the aforementioned issue but an improvement to the overall security.
Reference
· https://www.coindesk.com/tech/2021/09/21/no-airdropped-nfts-cannot-empty-your-crypto-wallet/