Security researchers detected a vulnerability in the Rarible NFT marketplace, which enables users to create, buy and sell digital NFT art pieces.
The company has a trading volume of $273 million in 2021, and more than 2.1 million users. This makes it one of the biggest NFT marketplaces in the world right now, providing NFT creators with over 400,000 NFT’s minted.
Unfortunately, Check Point discovered a design flaw within the marketplace which could allow threat actors to take over Rarible users’ cryptocurrency wallets. This could be achieved by tricking users to click on a malicious NFT, leading to full account takeover, including its funds.
The researchers alerted the marketplace immediately about the potential risk, and collaborated with them to install a fix, as per Check Point’s report on the issue.
More about Rarible’s Design Flaw
Non-Fungible Token has a standard (EIP-721), providing a basic functionality to track and transfer NFTs. The standard itself has a function called setApprovalForAll, designating who is authorized to control all the user’s tokens/NFTs. The feature is mainly created for third parties, such as Rarible/OpenSea to control the NFT/tokens on behalf of the users.
It turns out that “this function is very dangerous by design,”as it could allow anyone to control users’ NFTs, if they get tricked into signing it.
“It’s not always clear to users exactly what permissions they are giving by signing a transaction. Most of the time, the victim assumes these are regular transactions when in fact, they were giving control over their own NFTs,” Check Point explained.
It is noteworthy that cybercriminals use this type of transaction in phishing campaigns. However, in the realms of NFT marketplaces, this could be even more dangerous.
Check Point “looked at the Rarible NFT marketplace which allows anyone to create and sell art. Art can be anything that ends with the following extensions: PNG, GIF, SVG, MP4, WEBM, MP3. Max size: 100 MB.” The researchers proceeded with creating malicious art – a simple SVG file, uploaded with a simple payload. You can read more about it in the original report.
Long story short, NFT users should be extra cautious that there are various wallet requests. Some of these requests are needed just to connect the wallet, but others may provide full access to their NFTs and Tokens, Check Point concluded.
More about NFTs
Non-fungible tokens can be described as cryptographic assets on a blockchain, which have unique identification codes and metadata distinguishing them from one another. It may sound like a cryptocurrency, but the difference is that NFTs cannot be traded or exchanged at equivalency. In that meaning, cryptocurrencies, such as Bitcoin, are fungible, or identical to each other, meaning that they can be used for commercial transactions.
NFTs can be created from any kind of art, photography, music, or video files. You can create one from nearly anything unique that has value and can later be stored digitally. NFTs can be thought of as a collector’s item, such as a painting or an auction item. However, rather than buying a physical item, you’d be paying for the file and the proof that you own the original copy.
You can read more about the risks that NFTs hide in the following article: How Secure Are Your Digital Assets?