Weakness in the NFT market is rare – it-daily.net

Security researchers at Check Point Research (CPR) have discovered a vulnerability in the NFT Rarible marketplace. The exploit may result in the theft of each user’s NFTs and cryptocurrencies.

Just a fraudulent transaction was enough. Immediately after the vulnerability was discovered, CPR reported it to Rarible on April 5, who took note of the warning. Security researchers argue that the security gap should have been closed at the time of this report’s publication – but they do not confirm this. Rarible is the second NFT marketplace where CPR has discovered a serious vulnerability, because security researchers found something similar in October 2021 in the world’s largest NFT marketplace from OpenSea.

The fraud could have been launched by a malicious NFT within the Rarible Market itself, which users trust. The scammer’s target will get the infected NFT link and click on it to launch the attack – or the user will browse the marketplace and randomly find and click on the infected but harmless looking NFT. The malicious NFT executes JavaScript code, which then requests ApprovalForAll from the user. If the user carelessly confirms this, he gives access to the NFTs and their cipher tokens. The hackers can then steal NFT wallets and cryptocurrencies from the victim in a single transaction.

Experts noticed this time on April 1st when NFTs were stolen from Taiwanese singer Jay Chou and sold at Rarible Market for $500,000 USD. Chou was tricked into agreeing to a similarly prepared application, which then used a transaction to gain access to BoardAppe NFT 3788. Rarible announced 2021 sales on its market of $273 million, making it one of the largest platforms in existence.

Oded Vanunu, Head of Product Vulnerability Research at Check Point Software Technologies, says: “CPR has invested significant resources in investigating the intersection of cryptocurrency and IT security. We continue to see significant efforts by cybercriminals in an effort to make significant profits from cryptocurrencies especially from NFT Markets.In October last year, we discovered serious security vulnerabilities in OpenSea, the largest NFT market in the world.Now we found similar vulnerabilities in Rarible.In terms of security, there is still a big gap between the Web2 and Web3 infrastructure.

Any small loophole opens a backdoor for hackers to hijack cryptocurrency wallets behind the scenes. We are still in a situation where markets that combine Web3 protocols do not have sound security practices. The consequences of a cryptocurrency hack can also be severe. We have seen millions of dollars stolen from users of marketplaces that combine blockchain technologies. I am currently expecting another increase in these thefts. Users should be careful. They currently need to manage two types of wallets: one for most of their cryptocurrencies and one for specific transactions only. However, if the wallet for certain transactions is only attacked, users may still be able not to lose everything. In any case, CPR will continue to research the security implications of the new blockchain technology. “

CPR recommends caution and vigilance when receiving applications for registration in such markets, including within the market itself. Before accepting the request, users should think carefully about what is being asked and consider whether the request is unusual or suspicious.

Additional information:

When in doubt, they should reject the application and review it again before approval is granted. Users are also advised to check and revoke token approvals at this link: https://etherscan.io/tokenapprovalchecker.

You can get an overview here.


Leave a Comment