Bug bounty hunters helped OpenSea patch a cross-site scripting (XSS) vulnerability in their platform that previously allowed attackers to create an NFT from an SVG image, which contained an iframe that would execute JavaScript. Attackers could create an authorization popup that looks legitimate, and if the victim fell for it, gain access to their wallet. OpenSea quickly patched the vulnerability after disclosure, though it appears it had been used in the wild — the bounty hunters began their research after seeing tweets of users who had fallen victim to attackers using the exploit.