Researchers have discovered how a security bug in the Rarible NFT marketplace could lead to crypto thefts. While Rarible has deployed the fix, users must be careful about any past transactions to avoid losses.
Rarible NFT Bugs Discovered
Recently, the Check Point Research team has disclosed a serious security bug affecting the Rarible NFT marketplace. As elaborated in their report, the bug allowed the attackers to steal cryptocurrency assets of target users after wallet takeovers.
As highlighted, the Check Point Research team discovered the vulnerability with the setApprovalForAll
function of the NFT EIP-721 standard. Describing the intended action of this function, the report stated,
This function basically designates who is authorized to control all your tokens/NFTs, which is mainly created for 3rd parties like Rarible/OpenSea, etc. to control the NFT/tokens on behalf of the users.
The researchers explained that malicious exploitation of this function could let users lose control of their NFTs by signing a malicious transaction. Mostly, the users don’t recognize the impact of signing a transaction, deeming it a regular one. However, doing so can even lead to giving the attacker the permissions to their NFTs.
To demonstrate this attack, the researchers crafted a malicious NFT (in SVG format). Opening the NFT or clicking on the IPFS link would execute the JavaScript payload.
Explaining further, the researchers stated,
What so great about wallet transactions is it doesn’t have to run under the same domain, so we don’t need any private information such as cookies, or sessions, all the victim needs is a wallet and the attacker will use the JSON-RPC to abuse it.
So, the payload would send the “setApprovalForAll
” transaction request to the victim, approving which would give the attacker access to their NFT collection. After this, the attacker could easily steal all NFTs from the victim’s account using the “transferFrom
” action.
Patch Deployed
Upon discovering the bug, the Check Point Research team alerted Rarible about the matter. Consequently, Rarible worked on a fix and deployed the patch to avoid any real-world exploits.
In a statement to Bleeping Computer, Rarible explained that the bug didn’t directly affect Rarible.com users. As stated,
The vulnerability could potentially affect users only in case they deliberately leave Rarible.com for a third-party resource with malicious content, and consciously sign suggested transactions with their wallets. Simply clicking the link is not enough and user interaction and confirmation for transactions is required.
Nonetheless, they decided to strengthen security on third-party resources as well to “ensure a safe experience for the NFT community.”
Rarible is a dedicated NFT marketplace with millions of users. It allows the creation and sale/purchase of digital art as NFTs, has minted over 400,000 NFTs, and works over three blockchains. This huge existence indicates how a security vulnerability in the marketplace could make millions of users lose their assets.