“A successful attack would have come from a malicious NFT within Rarible’s marketplace, itself, where users are less suspicious and familiar with submitting transactions,” noted Check Point Research.
The research arm of cyber security software firm Check Point said it identified a vulnerability in the Rarible NFT marketplace that could have seen many of its roughly two million active monthly users lose their NFTs in a single transaction.
Check Point is a multinational IT security firm that was founded in Ramat Gan, Israel in 1993 and also claimed to have spotted issues relating to malicious airdrops on OpenSea back in October 2021.
According to documents shared with Cointelegraph, Check Point Research (CPR) recently discovered that malicious actors could send users a dubious link to an NFT that executes JavaScript code after clicking that “attempts to send a setApprovalForAll request to the victim.”
If the link is clicked, the user grants full access to their wallets on Rarible. CPR stated that it immediately notified Rarible on April 5, with the platform promptly acknowledging and fixing the security flaw:
“If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and cryptocurrency wallets in a single transaction. A successful attack would have come from a malicious NFT within Rarible’s marketplace itself, where users are less suspicious and familiar with submitting transactions.”
NFT Theft
Speaking with Cointelegraph, Oded Vanunu, head of products vulnerabilities research at Check Point Software said his team became interested in this type of scam after Taiwanese singer Jay Chou fell victim to a similar attack. Chou’s BoredApe #3738 NFT was swiped via a nefarious transaction at the start of this month.
“Once we saw that this NFT was stolen, it gave us the incentive to investigate further.” Such a vulnerability could also be possible on many other platforms, Vanunu said.
“Rarible acknowledged the security flaw quickly and fixed it by removing the SVG file upload option. This terminated the malicious NFT attack option,” Vanunu confirmed.
Related: Trezor investigates potential data breach as users cite phishing attacks
Vanunu refused to estimate the potential value lost that the security flaw could have resulted in, as it could have been “triggered on any user on the platform.” Notably, a similar attack on just a single wallet belonging to DeFiance Capital founder Arthur0x last month resulted in the loss of roughly 600 Ether ($1.86 million).
CPR urged users to be diligent any time they approve any requests on NFT platforms and verify all of them via Etherscan’s request tracker in times of uncertainty.
Cointelegraph has reached out to Rarible for comment on the matter, and will update the story if the company responds.