Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Crypto wallets at risk due to Rarible NFT marketplace security flaw

Check Point Research (CPR) identified a security flaw in Rarible, the NFT marketplace with over two million active users; the vulnerability would have enabled a threat actor to steal a user’s NFTs and crypto tokens in a single transaction if exploited.

user iconReporter
Tue, 19 Apr 2022
Crypto wallets at risk due to Rarible NFT marketplace security flaw
expand image

In 2021, Rarible reported over $273 million trading volume in 2021, making Rarible one of the largest NFT marketplaces in the world. CPRs research motivations into Rarible were sparked when they witnessed a similar attack on Jay Chou, a famous Taiwanese singer, whose NFT was stolen and sold for $500,000.

On April 1, CPR researchers observed the iconic Taiwanese singer had been tricked into submitting a transaction that stole his BoardAppe NFT 3738 that later sold for $500,000 on the marketplace. CPR then launched a thorough investigation of Rarible, as the victim of this method can be any crypto/NFT holder.

CPRs current findings build on previous research in October 2021, where they found critical security flaws in OpenSea, the worlds largest NFT marketplace. Left unpatched, the vulnerabilities discovered on OpenSeas platform could allow hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs. This is the second time CPRs researchers discovered security flaws in an NFT marketplace.

============
============

CPR outlined the attack method as follows:

  • Victim receives a link to the malicious NFT or browses the marketplace and clicks on it.
  • The malicious NFT executes JavaScript code and attempts to send a set ApprovalForAll request to the victim.
  • Victim submits the request and grants full access to the NFT/Crypto Token to the attacker.

According to Oded Vanunu, head of products vulnerabilities research at Check Point Software, the company has invested significant resources in examining the intersection of crypto and security.

“We still continue to see large efforts by cyber criminals to try and heist big profits from cryptocurrency, especially NFT marketplaces.

“In October last year, we discovered critical security flaws in OpenSea, the worlds largest NFT marketplace and now, weve identified similar vulnerabilities in Rarible.

“In terms of security, there is still a huge gap between Web2 and Web3 infrastructure,” Vanunu said.

CPR disclosed its findings to Rarible on Tuesday, 5 April 2022 and Rarible acknowledged the security flaw. The companys motivation behind this latest research is to prevent risks of account takeover and cryptocurrency theft.

Vanunu further explains that any small vulnerability opens a backdoor for cyber criminals to hijack crypto wallets behind the scenes.

“We are still in a state where marketplaces that combine Web3 protocols are lacking a sound security practice.

“The implications following a crypto hack can be extreme.

“Weve seen millions of dollars hijacked from users of marketplaces that combine blockchain technologies, Vanunu added.

CPR recommends being careful and aware whenever receiving requests to sign even within the marketplace itself. Prior to approving a request, users should focus and carefully review what is being requested and consider whether the request seems abnormal or suspicious.

If there are any doubts, users are advised to reject the request and examine it further before providing any kind of authorisation.

Currently, I expect to see a continuing increase in cryptocurrency thefts, Vanunu added, urging users must pay attention.

“Users currently need to manage two types of wallets: one for most of their crypto and another just for specific transactions.

“Should the wallet for specific transactions become compromised, users can still be in a position where they don’t lose everything.

CPR will continue to research the security implications of the new frontier of blockchain technology, Vanunu said.

[Related: Cyber security professionals back government-led cyber threat protection initiatives]

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.