Check Point Research Prevents Theft of Crypto Wallets on OpenSea, the World’s Largest NFT Marketplace

October 13, 2021

Research by : Dikla Barda, Roman Zaikin & Oded Vanunu

 

During the past few weeks, Check Point researchers spotted various cases where people tweeted reports claiming they lost their crypto wallet balance, while receiving a free gift on the OpenSea market place.
OpenSea is the largest digital collectible marketplace, a peer-to-peer marketplace for crypto collectibles and non-fungible tokens, aka NFT. OpeanSea recorded $3.4 billion in transaction volume in August 2021 alone, and has grown to be the largest marketplace for non-fungible tokens of the crypto world.
Since crypto coins are not regulated in many countries around the globe, it leaves consumer wallets as an attractive target for hackers.
Lately, several reports surfaced claiming digital wallets of merchants disappeared, leaving collectors to lose hundreds of thousands of dollars’ worth of NFTs.
The reports speculated that an attack could start when you receive a free gift from a stranger, or a link to OpenSea art:

*Source: Twitter

The reports further speculated that by accepting the gift or pressing on the link to OpenSea, the receiver loses all his crypto currencies.
Such example, along with others that reported different scams within this marketplace motivated our researchers to look (and find!) vulnerabilities within the platform, which could have allowed scammers and hackers to hijack accounts and steal the crypto currencies from the digital wallets.
On a later correspondence conducted by CPR with one victim, he confirmed interacting with an airdropped NFT object prior to the account theft
Check Point Researchers responsibly disclosed these vulnerabilities to OpenSea, who immediately implemented fixes to mitigate them.

Here’s what we did and how we did it

Application Onboarding

In order to have an account at OpenSea, you have to connect a third-party crypto wallet, like an auth0 with Google or Facebook in a regular website.

The default wallet and the most popular one is MetaMask, so we chose that one in our research, and downloaded the browser extension to open a wallet.

After you have a wallet, there are few communication methods with it, one of them is
communication with your wallet for any action you want to do in your account, even if you want to something simple, like art in the system:

Your wallet will popup. And your wallet is communicating with the Ethereum network by using json-rpc, which we will explain later in the Deep Dive section.

Deep Dive

OpenSea allows anyone to create art and sell them on its market place, the art can be anything that ends with the following extensions: JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF. Max size: 40 MB

 

So, we decided to check what will happened if we would create malicious art that contains code in it, for example an SVG image. We created a simple SVG file and uploaded it with a simple payload, which looked like this:

By clicking on the art and opening it in anther tab or clicking on the links on the page:

 

Our SVG will be executed under https://storage.opensea.io subdomain.

At this point, we have a SVG file with JavaScript capabilities, but we are missing the window.ethereum object, which works only under html files:

To overcome that, we added iframe to our SVG, which will load another html:

 

<?xml version="1.0" standalone="no"?>

<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “https://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd”>

<svg version=”1.1″ baseProfile=”full” xmlns=”https://www.w3.org/2000/svg” xmlns:xlink=”https://www.w3.org/1999/xlink”>

<foreignObject x=”10″ y=”10″ width=”800″ height=”800″>

<body xmlns=”https://www.w3.org/1999/xhtml”>

<iframe src=”https://storage.opensea.io/files/936762164367baa4353e00ccefbdb28f.html” style=”width:0;height:0″></iframe>

</body>

</foreignObject>

</svg>

 

Which will load our payload and insert Ethereum object to the page.

This way we can get the window.ethereum injected to our DOM which will allow us to communicate with the Ethereum JSON-RPC API:

Next, we had to learn the Ethereum RPC-API in order to abuse the wallet functionality, here is the link for reference:

https://eth.wiki/json-rpc/API

In order to hijack the currencies first, the attacker needs to open a communication with the wallet:

window.ethereum.enable()

This rpc-api action will start the communication MetaMask and popup the window:

 

And then Connect

 

once the victim clicks on it to sign the transaction, we will be able to continue with our actions.

Once the user clicks on the pop up, the hacker was able to read the information provided by the victim on the wallet, as well as performing actions on the victim’s behalf.

If the hacker wished to obtain the money on the wallet, an additional

Signature request pops up.

It should be noted that wallet signature pop ups often appear as a system notice, and are a standard platform process to create several activities. In this instance the user could have unknowingly enable access to their account (and the money in it) based on the same known process if they do not carefully read the pop-up.

,Users should be hyper-aware of what they sign on OpenSea, as well as other NFT platforms, and whether it correlates with expected actions.

In our attack scenario, the user is asked to sign with their wallet after clicking an image received from a third party, which is unexpected behavior on OpenSea, since it does not correlate to services provided by the OpenSea platform, like buying an item, making an offer, or favoring an item.

However, since the transaction operation domain is from OpenSea itself, and since this is an action the victim usually gets in other NFT operation stated above, it may lead him to approve the connection.

After the attacker got the access, he needs to retrieve the wallet address and then the balance.

ethereum.request({ method: ‘eth_accounts’ }).then(function(accounts){

      ethereum.request({ method: ‘eth_getBalance’, params: [accounts[0], “latest”], “id”: 1}).then(function(balance){

send_transaction(accounts[0], balance)

      });

});

 

He can simply transfer all the currencies to his account by using the send_transaction function.

This function will popup another signature request to perform new action on behalf of the victim which we previously mentioned.

Wallet signatures pop ups are a standard platform process.

By routinely signing it, User’s unknowingly enables the theft to take place

The last step of the attack, after having all the pieces running, is to transfer the art to the victim:

 

The transfer will happen seamlessly and the victim will get the art to his collection without any action needed from his side.

Then if the victim will open the new art and press the image or links, connect his wallet and sign the transaction in the popup, he will lose all his balance.

Victims may also sometimes see this screen which shows the money transfer.

Users should note that OpenSea does not request wallet approval for viewing or clicking third party links. Such activity is highly suspicious and users should not interact with wallet approvals that are unrelated to OpenSea specific actions such as buying, making an offer, liking an image.

 

Responsible Disclosure

OpenSea and Check Point worked together to make sure this attack flaw is now closed. OpenSea was responsive and shared svg files containing iframe object
from their storage domain, so we can review it together, and make sure all attack vectors were closed.

How To Protect Yourself

You should always be careful when receiving requests to sign your wallet online.  Before you approve a request; you should carefully review what is being requested and consider whether the request is abnormal or suspicious.  If you have any doubts, you should reject the request and examine further before providing such authorization.

Conclusion

The volume of traffic seen at OpenSea is a clear example presenting unprecedented interests in nonfungible tokens, which refer to digital assets that are stored on blockchains and not interchangeable.
Check Point Research remains dedicated to always seek paths to investigate and deep dive into popular tech trends, with an endless quest to make it safer for the publics secured experience.
We were happy to liaise and collaborate with the OpenSea teams to allow the growing trend of NFT continue to be safer and secured.