IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Critical security flaw discovered in NFT marketplace Rarible

If exploited, the vulnerability could have led to the theft of NFTs and crypto tokens in a single transaction

Abstract image showing the letters NFT in pink on top of a background of digital concepts and code

Researchers have identified a security flaw in NFT marketplace Rarible that could have led to the theft of crypto wallets.

If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and cryptocurrency wallets in a single transaction.

Researchers at CheckPoint said that a successful attack would have come from a malicious NFT within Rarible’s marketplace, where people are less suspicious and familiar with submitting transactions. For context, the platform reported $273 million trading volume last year and boasts over two million monthly active users – making it one of the largest NFT marketplaces in the world.

The findings were immediately disclosed to Rarible on April 5, which acknowledged the security flaw. Check Point said it believes that the company will have deployed a fix by the time of publication.

"CPR has invested significant resources in examining the intersection of crypto and security,” commented Oded Vanunu, head of Products Vulnerabilities Research at Check Point Software. “We still continue to see large efforts by cyber criminals to try and heist big profits from cryptocurrency, especially NFT marketplaces.

“In October last year, we discovered critical security flaws in OpenSea, the world's largest NFT marketplace. Now, we've identified similar vulnerabilities in Rarible.”

Left unpatched, those critical security flaws found in OpenSea could have allowed hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs.

With this latest Rarible find, Check Point said that attackers would rely on victims clicking a link to a malicious NFT, either via browsing the marketplace or receipt of the link.

The malicious NFT would then execute JavaScript code and attempt to send a setApprovalForAll request to the victim, who would then submit the request and grant full access to the NFTs or crypto tokens to the attacker.

Vanunu explained that there is still a “huge gap” between Web2 and Web3 infrastructure, with any small vulnerability opening a backdoor for cyber criminals to hijack crypto wallets behind the scenes.

“We are still in a state where marketplaces that combine Web3 protocols are lacking a sound security practice,” he said. “The implications following a crypto hack can be extreme. We've seen millions of dollars hijacked from users of marketplaces that combine blockchain technologies.”

Check Point said users should remain careful and aware whenever receiving new requests to sign, even within the marketplace itself, and to carefully review exactly what is being requested prior to receiving a request.

If there are any doubts, users are advised to reject the request and examine it further before providing any kind of authorisation. Token approvals can be reviewed and revoked using the Etherscan token approval tool.

“Currently, I expect to see a continuing increase in cryptocurrency thefts. Users must pay attention,” Vananu advised. “Users currently need to manage two types of wallets: one for most of their crypto and another just for specific transactions.

“Should the wallet for specific transactions become compromised, users can still be in a position where they don’t lose everything. CPR will continue to research the security implications of the new frontier of blockchain technology"

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022