SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Check Point discovers security flaw in major NFT marketplace
Thu, 21st Apr 2022
FYI, this story is more than a year old

Check Point Research (CPR) has identified a security flaw in Rarible, an NFT marketplace with over two million active users. If exploited, the vulnerability would have enabled a threat actor to steal a user's NFTs and crypto tokens in a single transaction.

The company's discovery marks the second time its researchers discovered security flaws in an NFT marketplace. In October 2021, CPR found security issues in OpenSea, the world's largest NFT marketplace. CPR's research of Rarible began when they witnessed a similar attack on Jay Chou, a famous Taiwanese singer whose NFT was stolen and sold for $500k.

In 2021, Rarible reported over $273 million trading volume in 2021, making it one of the largest NFT marketplaces in the world.

CPR has outlined the attack methodology as the following:

  • The victim receives a link to the malicious NFT or browses the marketplace and clicks on it.
  • The malicious NFT executes JavaScript code and attempts to send a set ApprovalForAll request to the victim.
  • The victim submits the request and grants full access to this NFT's/Crypto Token to the attacker.

On April 1, Taiwanese singer Jay Chou was tricked into submitting a transaction that stole his BoardAppe NFT 3738, later sold for $500,000 on the marketplace. CPR became interested, as the victim of this method can be any crypto or NFT holder. The company quickly launched a thorough investigation of Rarible. CPR says its motivation behind the research is to prevent risks of account takeover and cryptocurrency theft.

The findings build on top of previous research in October 2021, where they found critical security flaws in OpenSea, the world's largest NFT marketplace. Left unpatched, the vulnerabilities discovered on OpenSea's platform could allow hackers to hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs.

"CPR has invested significant resources in examining the intersection of crypto and security. We continue to see large efforts by cybercriminals to try and heist big profits from cryptocurrency, especially NFT marketplaces," says Check Point Software head of Products Vulnerabilities Research, Oded Vanunu.

"In October last year, we discovered critical security flaws in OpenSea, the world's largest NFT marketplace. Now, we've identified similar vulnerabilities in Rarible. In terms of security, there is still a huge gap between Web2 and Web3 infrastructure. Any small vulnerability opens a backdoor for cybercriminals to hijack crypto wallets behind the scenes," he says.

"We're still in a state where marketplaces that combine Web3 protocols lack a sound security practice. The implications following a crypto hack can be extreme. We've seen millions of dollars hijacked from marketplaces users that combine blockchain technologies. Currently, I expect to see a continuing increase in cryptocurrency thefts. Users must pay attention."

He says users currently need to manage two types of wallets, one for most of their crypto and another just for specific transactions. Should the wallet for specific transactions become compromised, users can still be in a position where they don't lose everything.

CPR recommends being careful and aware whenever receiving requests to sign, even within the marketplace itself. Before approving a request, the company says users should carefully review what is being requested and consider whether the request seems abnormal or suspicious. If there is any doubt, users are advised to reject the request and examine it further before providing any authorisation.