“A successful attack would have originated from a malicious NFT within Rarible’s marketplace, where users are less suspicious and more accustomed to submitting transactions,” Check Point Research explained.
Check Point’s research arm said it discovered a vulnerability in the Rarible NFT marketplace that could have resulted in many of the marketplace’s roughly two million monthly active users losing their NFTs in a single transaction.
Check Point is a multinational information technology security company headquartered in Ramat Gan, Israel. Check Point also claimed to have identified issues with malicious airdrops on OpenSea in October 2021.
According to the document, malicious actors can send users a dubious link to an NFT that, upon clicking, executes JavaScript code that “attempts to send a setApprovalForAll request to the victim.”
When the link is clicked, the user grants complete access to their Rarible wallets. CPR stated that it notified Rarible immediately on April 5, and the platform quickly acknowledged and fixed the security flaw:
“Had the vulnerability been exploited, a threat actor would have been able to steal a user’s NFTs and cryptocurrency wallets in a single transaction. A successful attack would have originated from a malicious NFT within Rarible’s marketplace, where users are more trusting and accustomed to submitting transactions.”
Theft of NFT
Check Point Software’s Head of Products Vulnerabilities Research stated that his team became interested in this type of scam following the death of Taiwanese singer Jay Chou in a similar attack. Chou’s BoredApe #3738 NFT was swiped at the start of this month in a nefarious transaction.
“Once we discovered that this NFT had been stolen, it prompted us to conduct additional research.” Vanunu added that such a vulnerability could also exist on a variety of other platforms.
“Rarible quickly acknowledged the security flaw and remedied it by removing the option to upload SVG files. This effectively eliminated the option for a malicious NFT attack,” Vanunu confirmed.
Vanunu declined to estimate the potential loss of value caused by the security flaw, which could have been “triggered on any user on the platform.” Notably, a similar attack on Arthur0x’s DeFiance Capital wallet last month resulted in the loss of approximately 600 Ether ($1.86 million).
CPR urged users to exercise caution whenever they approve requests on NFT platforms and to double-check each one via Etherscan’s request tracker during periods of uncertainty.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.
