Another top NFT marketplace may have a serious security flaw

A potentially major security flaw has been discovered on Rarible, a popular marketplace for non-fungible tokens (NFTs), which could lead to users losing not only their NFTs, but also cryptocurrencies directly from their wallets.

A report from Check Point Research (CPR) has identified a vulnerability that would allow a potential attacker to steal someone’s digital assets in a single transaction. The worst thing is that everything would happen in the market itself, a place where people would generally feel less suspicious.

According to the CPR report, the methodology is simple and includes the creation of a “malicious NFT”. If someone stumbled upon it and clicked on it, the malicious NFT would execute JavaScript code to attempt to send a setApprovalForAll request to the victim.

Malicious NFTs

In case the victim submits the requests, they will grant the malicious NFT full access to their endpoint.

“In October last year, we discovered critical security vulnerabilities in OpenSea, the world’s largest NFT marketplace. Now we have identified similar vulnerabilities in Rarible,” commented Oded Vanunu, Head of Product Vulnerability Research at Check Point Software.

“In terms of security, there is still a huge gap between Web2 and Web3 infrastructures. Any small vulnerability opens a backdoor for cyber criminals to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols lack a strong security practice. The implications following a cryptographic hack can be extreme. We have seen millions of dollars diverted from users of marketplaces that combine blockchain technologies.

Last year, Rarible had a trading volume of over $273 million, making it one of the largest NFT marketplaces on the planet.

See also  Cisco warns of new bug that could let hackers run off with admin credentials

The company informed the market of its discovery and said that it “believes Rarible will have deployed a fix by the time of this publication.” We’ve reached out to Rarible to see if that’s indeed the case, and we’ll update the article accordingly.

However, since it’s Easter weekend, it could be a few days before we hear from Rarible.

“Users currently have to manage two types of wallets: one for most of their cryptos and another just for specific transactions,” Vanunu continued.

“If the wallet for specific transactions is compromised, users may still be in a position where they don’t lose everything.”

Leave a Comment