Rarible is the most used marketplace for buying and selling NFTs (non-fungible tokens), but a flaw in its systems allowed cybercriminals to take possession of users’ cryptowallets. All this thanks to malicious NFTs, a kind of phishing within the platform that deceived users. Learn more about this already fixed bug.
NFT and the failure in its marketplace “Rarible”
Non-fungible tokens are the last thing known in the metaverse; they are nothing more than digital “value objects.” They can range from an art to a meme, something that is easily searched online, but transforming it to NFT gives it a monetary value that is usually paid and bought with cryptocurrencies. Rarible is one of the most used markets to offer these tokens or simply to protect original works.
Check Point researchers Roman Zaikin, Dikla Barda, and Oded Vanunu were the first to share information about this flaw. “By luring victims to click on a malicious NFT, an attacker can take full control of the victim’s cryptowallet to steal funds.” With over 2.1 million active users, Rarible is the most used site by content creators, artists, and anyone for NFTs.
“There is still a huge gap, in terms of security, between Web2 and Web3 infrastructure. Any small vulnerability can possibly allow cybercriminals to hijack cryptowallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols are lacking from a security perspective.The implications following a crypto hack can be extreme,” continues Vanunu, head of products vulnerabilities research at Check Point.
The operating mode of the cybercriminals was as follows: a link to an NFT (from an image to a game) was sent, when opened in a new tab executed a JavaScript code, which gave the hacker potential access to every user’s NFTs, thanks to sending a setApprovalForAll request to the wallet.
The setApprovalForAll allows any marketplace, this time Rarible, to transfer sold items from the seller’s address to the buyer’s address based on the implemented smart contract. “This function is very dangerous by design because this may allow anyone to control your NFTs if you get tricked into signing it. It’s not always clear to users exactly what permissions they are giving by signing a transaction. Most of the time, the victim assumes these are regular transactions when in fact, they were giving control over their own NFTs.”
By giving control over the NFTs, they are transferred from the victim’s account to the cybercriminal’s, which benefits them by reselling the items in the same marketplace at a higher price. Users are recommended to be very aware of the sites they visit and the permissions they grant, in addition to reviewing very carefully any transaction that is requested of them.
Keep in touch with our blog to read the latest news and innovations in the cybersecurity world
Photo by Andrey Metelev on Unsplash.
Facebook: Eagle Tech Corp
Instagram: @eagletech_corp
Twitter: @eagletechcorp
LinkedIn: Eagle Tech
YouTube: Eagle Tech Corp