Researchers find vulnerability in Rarible NFT platform
A security flaw in one of the biggest non-fungible token (NFT) marketplace could allow threat actors to steal a user’s NFTs and crypto tokens in a single transaction, according to a new report from cybersecurity firm Check Point.
Researchers said cybercriminals have found a way to create malicious NFTs that allow attackers to take full control of the victim’s crypto wallet to steal funds when they are clicked on.
Rarible did not respond to requests for comment but Check Point said the company acknowledged the issue when it was disclosed on April 5. The security company said it “believes that Rarible will have deployed a fix by the time of its publication.”
Oded Vanunu, head of products vulnerabilities research at Check Point, told The Record that they are seeing large efforts by cybercriminals to try and make profits through the theft of cryptocurrency, especially NFT marketplaces.
Vanunu added that they were inspired to look into Rarible after discovering a flaw in OpenSea, another major NFT marketplace, in October. They were also spurred into investigating issues with Rarible after Taiwanese superstar Jay Chou said one of his NFT’s was stolen and sold for $500,000.
“There is still a huge gap, in terms of security, between Web2 and Web3 infrastructure,” Vanunu said.
“Any small vulnerability can possibly allow cybercriminals to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols are lacking from a security perspective.”
The typical attack starts with victims being sent a link to a corrupted NFT. The malicious NFT then “executes JavaScript code and attempts to send a setApprovalForAll request to the victim.” From there, the victim inadvertently submits the request and grants full access to their NFTs or cryptocurrency.
Chou was hit with this attack in early April, when he clicked on a malicious NFT and inadvertently gave a hacker full access to his Bored Ape NFT 3738.
“After Chou submitted the request and granted the attacker access to the NFT, the attacker transferred the NFT to the attacker’s own wallet and later sold the NFT on the marketplace for $500,000,” Check Point explained.
“NFT users should be aware that there are various wallet requests – some of them are used just to connect the wallet, but others may provide full access to their NFTs and Tokens.”
Rarible has more than two million monthly active users and in 2021, the platform reported a trading volume of more than $200 million.
Vanunu noted that the implications following a crypto hack can be extreme.
“We’ve seen millions of dollars hijacked from users of marketplaces that combine blockchain technologies. As of right now, I expect us to see a continuing increase in cryptocurrency thefts. Users must pay attention,” Vanunu said.
“Users currently need to manage two types of wallets: one for most of your crypto and another just for specific transactions. In case the wallet for specific transactions is compromised, users can still be in a position where they didn’t lose everything.”
Adam Janofsky
is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.