Audio player loading…

A potentially major security flaw has been discovered on Rarible, a popular marketplace for non-fungible tokens (NFT), which could lead to users losing not just their NFTs, but also the cryptocurrencies right from their wallets.

A report from Check Point Research (CPR) identified a vulnerability that would allow a potential attacker to steal someone’s digital belongings in a single transaction. The worst part is that everything would happen on the marketplace itself, a place people would generally feel less suspicious.

According to CPRs report, the methodology is simple, and includes creating a “malicious NFT”. Should someone stumble upon it, and click on it, the malicious NFT would execute JavaScript code in an attempt to send a setApprovalForAll request to the victim.

Malicious NFTs

In case the victim submits the requests, they’d grant the malicious NFT full access to their endpoint

“In October last year, we discovered critical security flaws in OpenSea, the world’s largest NFT marketplace. Now, we’ve identified similar vulnerabilities in Rarible,” commented Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software. 

“In terms of security, there is still a huge gap between Web2 and Web3 infrastructure. Any small vulnerability opens a backdoor for cybercriminals to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols are lacking a sound security practice. The implications following a crypto hack can be extreme. We’ve seen millions of dollars hijacked from users of marketplaces that combine blockchain technologies.” 

Last year, Rarible has had more than $273 million in trading volume, making it one of the largest NFT marketplaces on the planet. 

The company notified the marketplace of its discovery, and said it “believes Rarible will have deployed a fix by the time of this publication”. We have reached out to Rarible to see if that indeed is the case, and will update the article accordingly. 

However, given that it’s Easter weekend, it could be a few days before we hear back from Rarible.

“Users currently need to manage two types of wallets: one for most of their crypto and another just for specific transactions,” Vanunu continued. 

“Should the wallet for specific transactions become compromised, users can still be in a position where they don’t lose everything.”