Cybersecurity experts have discovered a security hole in Rarible’s non-fungible token marketplace (NFT). This flaw could have allowed for account takeovers and the theft of crypto assets.
“By luring victims to click on a malicious NFT, an attacker can take full control of the victim’s crypto wallet to steal funds,” Check Point researchers Roman Zaikin, Dikla Barda, and Oded Vanunu said in a report shared with The Hacker News.
Rarible, an NFT marketplace that enables users to create, buy, and sell digital NFT art like photographs, games, and memes, has over 2. 1 million active users.
“There is still a huge gap between, in terms of security, between Web2 and Web3 infrastructure,” Vanunu, head of products vulnerabilities research at Check Point, said in a statement shared with The Hacker News.
” Any small weakness could allow hackers to steal crypto wallets. We are still in a state where marketplaces that combine Web3 protocols are lacking from a security perspective. The implications following a crypto hack can be extreme. “
The attack method relies on malicious actors sending links to NFTs (e.g. an image) that execute arbitrary JavaScript codes to victims. This could allow the attacker to take complete control of their NFTs and send a setApprovalForAll request for the wallet.
The setApprovalForAll API allows a marketplace (in this case, Rarible) to transfer sold items from the seller’s address to the buyer’s address based on the implemented smart contract.
” This function may be used to monitor your NFTs, if anyone is tricked enough to sign it,” researchers stated.
“It’s not always clear to users exactly what permissions they are giving by signing a transaction. Most of the time, the victim assumes these are regular transactions when in fact, they were giving control over their own NFTs. “
In granting the request, the fraudulent scheme effectively permits the adversary to transfer all the NFTs from the victim’s account, which can then be sold by the attacker on the marketplace for a higher price.
As safeguards, it’s recommended that users carefully scrutinize transaction requests prior to providing any kind of authorization. Previous token approvals can be reviewed and revoked by visiting Etherscan’s Token Approval Checker tool.
“NFT customers should know that there are multiple wallet requests. Some are just for connecting the wallet but some may allow full access to NFTs or Tokens.” researchers stated.
