Security breach in one of the world’s largest NFT marketplaces puts more than 2 million users at risk

In 2021, Rarible announced over $273 million in transaction volume, making the platform one of the largest NFT marketplaces in the world.

Check Point Research (CPR) discovered a security flaw in Rarible, an NFT marketplace with more than 2 million monthly active users. If exploited, the vulnerability would allow malicious actors to steal NFTs from users and crypto wallets in a single transaction. A successful execution of such an attack would come from a malicious NFT discovered on Rarible’s own platform, where users have less qualms and are more familiar with submitting transactions. CPR immediately notified Rarible of its discovery.

In 2021, Rarible announced over $273 million in transaction volume, making the platform one of the largest NFT marketplaces in the world.

Attack method

CPR defines the attack method as follows:

  1. Victim receives a link to a malicious NFT or clicks on it through a market search
  2. Malicious NFT executes JavaScript code and attempts to send permission requests to victims
  3. The victim accepts the request, giving the attacker full access to the NFT token or cryptocurrency.

What causes CPR to investigate

On April 1, CPR witnessed a similar attack on famous Taiwanese singer Jay Chou. He was prompted to submit a transaction that resulted in the theft of NFT 3738 from the BoardAppe collection, which was later sold on the market for $500,000. Any cryptocurrency/NFT holder could fall victim to this attack method, which piqued the interest of Check Point investigators, leading them to analyze the Rarible platform. Of course, preventing further account and cryptocurrency theft is the main motivation for this investigation.

CPR’s current findings add to previous investigations dating back to October 2021, in which serious security flaws were found in OpenSea, the world’s largest NFT marketplace. If left unpatched, the identified vulnerabilities would allow hackers to steal full cryptocurrency accounts and wallets by creating malicious NFTs.

CPR shared its findings with Rarible on April 5, 2022. The platform admits there are security flaws, and CPR believes that, by the date the study was published, a fix was in place.

“CPR has devoted a lot of resources to researching how cryptocurrencies and security are intertwined. We continue to see significant efforts by cybercriminals to profit from digital currencies, especially in the NFT market. Last October, we had the largest global Serious security flaws have been found in OpenSea, the NFT marketplace of . We are now seeing similar flaws in Rarible. There is still a big gap between Web2 and Web3 infrastructure in terms of security. Any small breach will open the door for cybercriminals, Stealing crypto wallets without anyone noticing,” Firstly Oded Vanunu, Director of Product Vulnerability Research, Check Point Software. “We are still at a stage where markets incorporating Web3 protocols lack good security practices. The impact of an attack on these types of digital assets can be extreme. We have seen millions of dollars stolen from market users incorporating blockchain technology Currently, it is expected that we will continue to see an increase in cryptocurrency theft. Users must be careful. Currently, users must manage two types of wallets: one for most cryptographic resources and one for specific transactions only. Therefore, If the second security is compromised, the victim will still be in a position to not lose everything. CPR will continue to investigate the security implications of this new frontier in blockchain technology.”

Leave a Comment

Your email address will not be published.