IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Critical security flaw discovered in NFT marketplace Rarible

If exploited, the vulnerability could have led to the theft of NFTs and crypto tokens in a single transaction

Abstract image showing the letters NFT in pink on top of a background of digital concepts and code

Researchers have identified a security flaw in NFT marketplace Rarible that could have led to the theft of crypto wallets.

If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and cryptocurrency wallets in a single transaction.

Researchers at CheckPoint said that a successful attack would have come from a malicious NFT within Rarible’s marketplace, where people are less suspicious and familiar with submitting transactions. For context, the platform reported $273 million trading volume last year and boasts over two million monthly active users – making it one of the largest NFT marketplaces in the world.

The findings were immediately disclosed to Rarible on April 5, which acknowledged the security flaw. Check Point said it believes that the company will have deployed a fix by the time of publication.

"CPR has invested significant resources in examining the intersection of crypto and security,” commented Oded Vanunu, head of Products Vulnerabilities Research at Check Point Software. “We still continue to see large efforts by cyber criminals to try and heist big profits from cryptocurrency, especially NFT marketplaces.

“In October last year, we discovered critical security flaws in OpenSea, the world's largest NFT marketplace. Now, we've identified similar vulnerabilities in Rarible.”

Left unpatched, those critical security flaws found in OpenSea could have allowed hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs.

With this latest Rarible find, Check Point said that attackers would rely on victims clicking a link to a malicious NFT, either via browsing the marketplace or receipt of the link.

The malicious NFT would then execute JavaScript code and attempt to send a setApprovalForAll request to the victim, who would then submit the request and grant full access to the NFTs or crypto tokens to the attacker.

Vanunu explained that there is still a “huge gap” between Web2 and Web3 infrastructure, with any small vulnerability opening a backdoor for cyber criminals to hijack crypto wallets behind the scenes.

“We are still in a state where marketplaces that combine Web3 protocols are lacking a sound security practice,” he said. “The implications following a crypto hack can be extreme. We've seen millions of dollars hijacked from users of marketplaces that combine blockchain technologies.”

Check Point said users should remain careful and aware whenever receiving new requests to sign, even within the marketplace itself, and to carefully review exactly what is being requested prior to receiving a request.

If there are any doubts, users are advised to reject the request and examine it further before providing any kind of authorisation. Token approvals can be reviewed and revoked using the Etherscan token approval tool.

“Currently, I expect to see a continuing increase in cryptocurrency thefts. Users must pay attention,” Vananu advised. “Users currently need to manage two types of wallets: one for most of their crypto and another just for specific transactions.

“Should the wallet for specific transactions become compromised, users can still be in a position where they don’t lose everything. CPR will continue to research the security implications of the new frontier of blockchain technology"

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022