Hackers are increasingly targeting crypto companies to gain access to their users’ crypto wallets in an attempt to steal tokens and nonfungible tokens (NFTs). Now, security researchers at Check Point Research have found a design flaw within Rarible NFT marketplace that can potentially allow hackers to take over a user’s cryptocurrency wallet by luring them to click on a malicious NFT, and then take full control over their account.
Researchers immediately alerted Rarible about this potential risk, and the NFT company acknowledged the flaw and installed a fix.
Rarible is an NFT marketplace that enables users to create, buy, and sell digital NFT art like photographs, games, and memes. According to Check Point Research (CPR), Rarible reported over $273 million trading volume in 2021, and more than 2.1 million users, making it one of the biggest NFT marketplaces in the world. The NFT marketplace also supports three blockchains with over 400,000 NFTs minted.
Finding the flaw
To transfer or track NFTs, the blockchain ecosystem has a standard for representing ownership— EIP 721 or ERC 721, (Ethereum Request for comments). This standard has a function called as ‘setApprovalForAll’ that essentially designates who is authorised to control all your tokens and NFTs.
This function is used by marketplace owners like Rarible, OpenSea, etc to control the NFT on behalf of the users. Designing this function is quite dangerous because this may allow anyone to control your NFTs if you get tricked into signing it. “Attackers use this kind of transaction usually in phishing attacks, but when it comes from the NFT marketplace itself, it is much more dangerous,” researchers noted in a blog post.
For investigation purpose, CPR created a malicious art file and uploaded it on the NFT marketplace. As soon as the art was clicked by the victim, the malicious code was executed, which looped all the NFTs owned by the user through the setApprovalForAll function. Researchers could now gain full access to the victim’s crypto wallet because the victim has ‘allowed’ him to do so.
How to stay safe?
“NFT users should be aware that there are various wallet requests – some of them are used just to connect the wallet, but others may provide full access to their NFTs and tokens,” CPR added.
CPR recommends being careful and aware whenever receiving requests to sign any link within the Rarible marketplace, or any other marketplace. Prior to approving a request, users should carefully review what is being requested, and consider whether the request seems abnormal or suspicious.
If there are any doubts, users should reject the request and examine it further before providing any kind of authorisation.