Critical security flaw discovered in NFT marketplace Rarible

Abstract image showing the letters NFT in pink on top of a background of digital concepts and code

Researchers have identified a security flaw in NFT marketplace Rarible that could have led to the theft of crypto wallets.

If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and cryptocurrency wallets in a single transaction.

Researchers at CheckPoint said that a successful attack would have come from a malicious NFT within Rarible’s marketplace, where people are less suspicious and familiar with submitting transactions. For context, the platform reported $273 million trading volume last year and boasts over two million monthly active users – making it one of the largest NFT marketplaces in the world.

The findings were immediately disclosed to Rarible on April 5, which acknowledged the security flaw. Check Point said it believes that the company will have deployed a fix by the time of publication.

"CPR has invested significant resources in examining the intersection of crypto and security,” commented Oded Vanunu, head of Products Vulnerabilities Research at Check Point Software. “We still continue to see large efforts by cyber criminals to try and heist big profits from cryptocurrency, especially NFT marketplaces.

“In October last year, we discovered critical security flaws in OpenSea, the world's largest NFT marketplace. Now, we've identified similar vulnerabilities in Rarible.”

Left unpatched, those critical security flaws found in OpenSea could have allowed hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs.

With this latest Rarible find, Check Point said that attackers would rely on victims clicking a link to a malicious NFT, either via browsing the marketplace or receipt of the link.

The malicious NFT would then execute JavaScript code and attempt to send a setApprovalForAll request to the victim, who would then submit the request and grant full access to the NFTs or crypto tokens to the attacker.

Vanunu explained that there is still a “huge gap” between Web2 and Web3 infrastructure, with any small vulnerability opening a backdoor for cyber criminals to hijack crypto wallets behind the scenes.

“We are still in a state where marketplaces that combine Web3 protocols are lacking a sound security practice,” he said. “The implications following a crypto hack can be extreme. We've seen millions of dollars hijacked from users of marketplaces that combine blockchain technologies.”

Check Point said users should remain careful and aware whenever receiving new requests to sign, even within the marketplace itself, and to carefully review exactly what is being requested prior to receiving a request.

If there are any doubts, users are advised to reject the request and examine it further before providing any kind of authorisation. Token approvals can be reviewed and revoked using the Etherscan token approval tool.

“Currently, I expect to see a continuing increase in cryptocurrency thefts. Users must pay attention,” Vananu advised. “Users currently need to manage two types of wallets: one for most of their crypto and another just for specific transactions.

“Should the wallet for specific transactions become compromised, users can still be in a position where they don’t lose everything. CPR will continue to research the security implications of the new frontier of blockchain technology"

Daniel Todd

Dan is a freelance writer and regular contributor to ChannelPro, covering the latest news stories across the IT, technology, and channel landscapes. Topics regularly cover cloud technologies, cyber security, software and operating system guides, and the latest mergers and acquisitions.

A journalism graduate from Leeds Beckett University, he combines a passion for the written word with a keen interest in the latest technology and its influence in an increasingly connected world.

He started writing for ChannelPro back in 2016, focusing on a mixture of news and technology guides, before becoming a regular contributor to ITPro. Elsewhere, he has previously written news and features across a range of other topics, including sport, music, and general news.