Author:
Check Point, the American-Israeli multinational that provides hardware and software products for IT security, has revealed identifying a security flaw in the popular NFT marketplace Rarible, which boasts over two million monthly active users.
Security Flaw on Rarible
In a blog post, CPR stated that the flaw, if exploited, would have allowed a malicious actor to siphon off a user’s NFTs and cryptocurrency wallets in a single transaction.
Rarible is one of the most established marketplaces in the NFTF sector. It reported more than $273 million in trading volume in 2021. Hence, CPR mentioned that platform users are “less suspicious and familiar with submitting transactions.” Researchers at the firm alerted Rarible of the discovery on April 5th, following which the NFT platform acknowledged the flaw and fixed it immediately.
Outlining the attack method, CPR noted:
“Victim receives a link to the malicious NFT or browses the marketplace and clicks on it. The Malicious NFT executes JavaScript code and attempts to send a setApprovalForAll request to the victim. Victim submits the request and grants full access to this NFT’s/Crypto Token to the attacker.”
CPR first became intrigued by these types of cases after a popular Taiwanese singer Jay Chou fell victim to a similar cyber-attack. Reportedly, attackers stole Chou’s NFT and later sold it for $500k.
Interestingly, the firm also detected critical security vulnerabilities on OpenSea last October, which could have potentially enabled attackers to “hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs.”
It also urged users to exercise caution while reviewing what is being requested. If the request appears abnormal or suspicious, they should reject it and inspect it further before providing any kind of authorization.
Rampant Attacks on NFT Marketplaces
The development comes a little over a month after Arbitrum-based NFT marketplace – TreasureDAO – witnessed hundreds of NFTs being stolen in an exploit in a series of transactions. The malicious entities exploited a security vulnerability in the protocol that enabled them to mint non-fungible tokens for free.
OpenSea’s front-end was also exploited at the beginning of the year, which targeted Bored Ape Yacht Club (BAYC) holders. As reported earlier, the perpetrator managed to steal around $750K worth of ETH.
PrimeXBT Special Offer: Use this link to register & enter POTATO50 code to receive up to $7,000 on your deposits.
