Researchers find security flaw in Rarible: Users could have lost all their NFTs

Published at: April 14, 2022

The research arm of cyber security software firm Check Point said it identified a vulnerability in the Rarible NFT marketplace that could have seen many of its roughly two million active monthly users lose their NFTs in a single transaction.

Check Point is a multinational IT security firm that was founded in Ramat Gan, Israel in 1993 and also claimed to have spotted issues relating to malicious airdrops on OpenSea back in October 2021.

According to documents shared with Cointelegraph, Check Point Research (CPR) recently discovered that malicious actors could send users a dubious link to an NFT that executes JavaScript code after clicking that “attempts to send a setApprovalForAll request to the victim.”

If the link is clicked, the user grants full access to their wallets on Rarible. CPR stated that it immediately notified Rarible on April 5, with the platform promptly acknowledging and fixing the security flaw:

“If exploited, the vulnerability would have enabled a threat actor to steal a user's NFTs and cryptocurrency wallets in a single transaction. A successful attack would have come from a malicious NFT within Rarible's marketplace itself, where users are less suspicious and familiar with submitting transactions.”

NFT Theft

Speaking with Cointelegraph, Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software said his team became interested in this type of scam after Taiwanese singer Jay Chou fell victim to a similar attack. Chou’s BoredApe #3738 NFT was swiped via a nefarious transaction at the start of this month.

“Once we saw that this NFT was stolen, it gave us the incentive to investigate further.” Such a vulnerability could also be possible on many other platforms, Vanunu said.

“Rarible acknowledged the security flaw quickly and fixed it by removing the SVG file upload option. This terminated the malicious NFT attack option,” Vanunu confirmed.

Related: Trezor investigates potential data breach as users cite phishing attacks

Vanunu refused to estimate the potential value lost that the security flaw could have resulted in, as it could have been “triggered on any user on the platform.” Notably, a similar attack on just a single wallet belonging to DeFiance Capital founder Arthur0x last month, resulted in the loss of roughly 600 Ether ($1.86 million).

CPR urged users to be diligent any time they approve any requests on NFT platforms and verify all of them via Etherscan’s request tracker in times of uncertainty.

Cointelegraph has reached out to Rarible for comment on the matter, and will update the story if the company responds.

Tags
Blockchain
Nft
Marketplace
Cybersecurity
Scams
Related Posts
OpenSea announces new security features to protect users from NFT scams
One of the most popular crypto startups, OpenSea, has recently come under fire for stolen and plagiarized nonfungible tokens (NFTs). In light of the growing number of NFT scams, OpenSea has announced the launch of a new feature that will automatically hide suspicious NFT transfers from view on their marketplace. This will help to protect users from being scammed and ensure that only legitimate transactions are visible. According to a blog post on Monday, the new feature will automatically conceal suspicious NFT transfers to address key concerns around trust and safety on OpenSea. OpenSea has recently been focusing on enhancing …
Blockchain / June 14, 2022
OpenSea introduces new stolen item policy to combat NFT theft
As asset theft remains one of the biggest headaches in the nonfungible token (NFT) space, NFT marketplace OpenSea is making an effort to tailor its policy to incorporate additional measures against stolen items. In an announcement, the firm highlighted that its policies were made considering United States laws, were knowingly allowing the sale of stolen items is prohibited. However, the marketplace admitted that in some cases, buyers who unknowingly bought stolen items were penalized even though they were not at fault. Because of this and the NFT community’s feedback, the marketplace has adjusted its policy to expand the use of …
Blockchain / Aug. 11, 2022
5 sneaky tricks crypto phishing scammers used last year: SlowMist
Blockchain security firm SlowMist has highlighted five common phishing techniques crypto scammers used on victims in 2022, including malicious browser bookmarks, phony sales orders and trojan malware spread on messaging app Discord. It comes after the security firm recorded a total of 303 blockchain security incidents in the year, with 31.6% of these incidents caused by phishing, rug pull or other scams, according to a Jan. 9 SlowMist blockchain security report. Malicious browser bookmarks One of the phishing strategies makes use of bookmark managers, a feature in most modern browsers. SlowMist said scammers have been exploiting these to ultimately gain …
Blockchain / Jan. 10, 2023
Moonbirds creator Kevin Rose loses $1.1M+ in NFTs after 1 wrong move
Kevin Rose, the co-founder of the nonfungible token (NFT) collection Moonbirds, has fallen victim to a phishing scam leading to more than $1.1 million worth of his personal NFTs stolen. The NFT creator and PROOF co-founder shared the news with his 1.6 million Twitter followers on Jan. 25 asking them to avoid buying any Squiggles NFTs until they manage to get them flagged as stolen. I was just hacked, stay tuned for details - please avoid buying any squiggles until we get them flagged (just lost 25) + a few other NFTs (an autoglyph) ... — KΞVIN R◎SE (,) (@kevinrose) …
Blockchain / Jan. 26, 2023
How to create NFTs on the Cardano blockchain
Cardano is a proof-of-stake (PoS) platform launched in September 2017 by Ethereum co-founder Charles Hoskinson. In September 2021, Cardano added support for smart contracts, which paved the way for developing decentralized finance (DeFi) and nonfungible token (NFT) applications. NFTs landed on Cardano’s blockchain in 2022, with Cardano’s native cryptocurrency ADA (ADA) utilized to buy and sell them. The deployment of smart contracts on Cardano allowed the creation of NFT marketplaces, including CNFT.IO and Jpg.store. These marketplaces facilitate NFT projects on Cardano in a cost-effective and scalable way, attracting many enthusiasts seeking a user-friendly platform for creators and traders with low-cost …
Blockchain / Feb. 22, 2023