Check Point, the American-Israeli multinational that provides hardware and software products for IT security, has revealed identifying a security flaw in the popular NFT marketplace Rarible, which boasts over two million monthly active users.
Vulnerability on Rare
In a blog post, CPR said the flaw, if exploited, would have allowed a malicious actor to siphon off a user’s NFTs and cryptocurrency wallets in a single transaction.
Rarible is one of the most established marketplaces in the NFTF sector. It reported more than $273 million in trading volume in 2021. Hence, CPR mentioned that platform users are “less suspicious and familiar with submitting transactions.” Researchers at the firm alerted Rarible of the discovery on April 5th, following which the NFT platform acknowledged the flaw and fixed it immediately.
Describing the attack method, CPR noted:
“The victim receives a link to the malicious NFT or browses the marketplace and clicks on it. The malicious NFT executes JavaScript code and attempts to send a setApprovalForAll request to the victim. The victim submits the request and grants full access to this NFT/Crypto Token to the attacker. »
CPR first became intrigued by these types of cases after a popular Taiwanese singer Jay Chou fell victim to a similar cyber-attack. Reportedly, attackers stole Chou’s NFT and later sold it for $500k.
Interestingly, the company also detected critical security vulnerabilities on OpenSea last October, which could have potentially allowed attackers to “hack into user accounts and steal entire cryptocurrency wallets by creating malicious NFTs” .
It also urged users to exercise caution while reviewing what is being requested. If the request appears abnormal or suspicious, they should reject it and inspect it further before providing any kind of authorization.
Creeping attacks on NFT markets
The development comes just over a month after Arbitrum-based NFT marketplace – TreasureDAO – witnessed the theft of hundreds of NFTs as part of an exploit in a series of transactions. The malicious entities exploited a security flaw in the protocol that allowed them to manufacture non-fungible tokens for free.
OpenSea’s front-end was also exploited at the beginning of the year, which targeted Bored Ape Yacht Club (BAYC) holders. As reported earlier, the perpetrator managed to steal around $750K worth of ETH.
