The vulnerability could allow attackers to steal crypto and NFT tokens in a single transaction if exploited.
Check Point Research team has identified a vulnerability in the Ethereum-based Rarible marketplace for Non-Fungible Token aka NFT, allowing attackers to remotely steal digital assets using a simple trick and transfer the funds directly to their wallets.
According to researchers, if this security flaw is exploited, threat actors can easily steal crypto tokens and NFTs.
The Jay Chou Connection
Check Point Research’s investigation into the Rarible marketplace was initiated after they observed an attack on famous Taiwanese singer Jay Chou in which the singer’s Bored Ape NFTs were stolen and sold for more than half a million dollars.
According to reports, The singer was tricked into submitting a transaction. His BoardAppe NFT 3738 was later sold for $500,000 on the marketplace. After witnessing this, researchers became intrigued since anyone can be tricked like this, and hence, an investigation into Rarible was launched.
About Rarible
Community-centric NFT marketplace Rarible has 2.1 million registered users. The marketplace offers around 50% royalties and supports three blockchains. Rarible rakes in hundreds of millions of dollars in annual trading volume. The platform reported a $273 million trading volume in 2021, becoming one of the world’s largest NFT marketplaces.
What’s the Issue?
The issue arises from the inherent risk in the “setApprovalForAll” function. This function is a part of the NFT EIP-721 standard that allows someone else to fully control the NFT assets. An attacker only needs to fake a seemingly innocuous transaction request and ask the asset owner to sign it. The attacker snags the target’s NFTs or takes control of the wallet without the victim’s knowledge.
The vulnerability, according to CheckPoint’s blog post, detected in Rarible is that it lets users upload up to 100MB of media files without scanning them for malicious software/content. Based on this information, researchers tried to create an SVG image to hide a malicious JavaScript payload and upload it as an NFT for sale on Rarible.
When they clicked on the NFT image or the IPFS link, this triggered the code execution, and the victim’s browser displayed a “setApprovalForAll” transaction request. Check Point researchers stated that users who have become victims already could review and revoke the token permissions they gave through previous fraudulent transaction requests.
Possible Dangers
If the victim doesn’t understand the purpose of the transaction or is somewhat careless, they will unknowingly approve the request, and the attacker will gain access to their NFT collection. Once this is done, the attacker will use the TransferForm action, steal the NFT, and transfer them to their wallet. This action is irreversible since it is a blockchain transaction.
To stay safe, users must remain cautious when they receive new requests to sign in within the marketplace and review the request carefully. If deemed suspicious, they must reject the request and examine it further before authorizing it.
Check Point disclosed the findings to Rarible on April 5th, and the marketplace acknowledged the security flaw, after which a fix might be underway soon.
More NFT Security News
- Official website of Banksy hacked for a fake NFT scam
- Phishing scam: NFTs Worth $1.7M Stolen from OpenSea Users
- OpenSea vulnerability allowed crypto theft with malicious NFTs
- Hot wallet hack: Hackers steal $18.7m from Animoca’s Lympo NTF platform
- $625m Stolen From Ronin Network – The Blockchain Behind Axie Infinity Game
