The research division of cybersecurity software company Check Point said it had identified a vulnerability in Rarible’s NFT market. which could have caused many of its roughly two million active monthly users to lose their NFTs in a single transaction.
Check Point is a multinational computer security company that was founded in Ramat Gan, Israel, in 1993 and that it also claimed to have detected issues related to malicious launches on OpenSea in October 2021.
According to documents shared with Cointelegraph, Check Point Research (CPR) recently discovered that malicious actors could send users a dubious link to an NFT that executes JavaScript code after clicking that “attempts to send a setApprovalForAll request to the victim”.
If the link is clicked, the user grants full access to their wallets on Rarible. CPR stated that it immediately notified Rarible on April 5, and the platform quickly recognized and fixed the security flaw:
“If exploited, the vulnerability would have allowed a user’s NFTs and cryptocurrency wallets to be stolen in a single transaction. A successful attack would have come from a malicious NFT within Rarible’s own marketplace, where users are less suspicious and familiar with sending transactions.”
NFT theft
Speaking to Cointelegraph, Oded Vanunu, Head of Product Vulnerability Research at Check Point Software, said his team became interested in this type of scam after Taiwanese singer Jay Chou fell victim to a similar attack.. Chou’s NFT BoredApe #3738 was stolen in a nefarious transaction earlier this month.
“Once we saw that this NFT was stolen, it gave us the incentive to investigate further.” Such a vulnerability could also be possible on many other platforms, Vanunu said..
“Rarible quickly recognized the security flaw and fixed it by removing the option to upload SVG files. This ended the NFT malicious attack option”confirmed Vanunu.
Vanunu declined to estimate the potential lost value that the security flaw could have caused, as it could have been “triggered on any user of the platform.” Notably a similar attack on a single wallet belonging to DeFiance Capital founder Arthur0x last month resulted in the loss of some 600 Ether ($1.86 million).
CPR urged users to be diligent whenever approving any requests on NFT platforms and to verify them all through the Etherscan request tracker. in times of uncertainty.
Cointelegraph has reached out to Rarible for comment on the matter, and will update the story if the company responds.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.