Oct 13, 2021 - Technology

Security firm finds flaw in OpenSea's NFT code

Ina Fried
Animated illustration of an ornate frame with falling dollar signs

Illustration: Eniola Odetunde/Axios

Check Point Software said Wednesday that it recently found vulnerabilities in the platform used by OpenSea, the largest marketplace for digital collectibles known as NFTs, or non-fungible tokens.

Why it matters: The since-patched vulnerabilities, if exploited, could have allowed hackers to take control of accounts and even entire crypto wallets by sending a malicious NFT.

Details: Check Point said it began investigating the issue after seeing reports of people having accounts hijacked after receiving unsolicited NFTs.

  • It reported the flaw to OpenSea on Sept. 26 and the company put out a fix within an hour to prevent the exploit.

What they're saying:

  • OpenSea thanked Check Point for bringing the issue to its attention and said it has yet to identify any instances where the flaw was exploited. It also said it is trying to better coordinate with third-party wallets that integrate with its platform as well as to educate users.
  • Check Point Software's Oded Vanunu warned that bad actors are seizing upon the opportunity presented as consumer adoption of NFTs soars even as the security around the tokens is still ramping up. "Given the sheer pace of innovation, there is an inherent challenge in securely integrating software applications and crypto markets," Vanunu said.

Be smart: Check Point recommends people be extra wary of unsolicited requests to log into their crypto wallets.

Our thought bubble: While this flaw appears to have been caught before significant damage, it highlights the precarious nature of digital collectibles and currencies.

Go deeper: Check Point posted a video with more details on the flaw here.

Editor's note: This story has been corrected to remove a reference to Apple's AirDrop that was inaccurate.

Go deeper