A design flaw had left the Rarible NFT market vulnerable – and Taiwanese singer Jay Chou lost his Bored Ape NFT for half a million dollars. Check Point Research was able to identify the vulnerability and assist the market trader. But security researchers continue to warn against platforms based on the Web3 infrastructure.
JTaiwanese pop icon ay Chou launched his own NFTs in early January: in cooperation with his fashion brand Phantaci and the blockchain entertainment platform Ezek, 10,000 NFT coins of his Phanta Bears hit the market. The auction brought him $10 million.
Three months later, Jay Chou was making waves again with NFTs. But this time not as a businessman, but as a victim of cybercriminals. They had stolen his Bored Ape Yacht Club (BAYC) NFT on the Rarible NFT platform. The crypto asset, dubbed BoardAppe NFT 3788, was later sold for $500,000.
Looked for an attack vector – and found it
The theft generated a lot of media coverage, so security researchers at Check Point Research (CPR) also became aware of it. They looked around the market and actually found what they were looking for: there was a flaw in the design that allowed access to all NFTs in a wallet to be supported. Rarible was an interesting target for cybercriminals: the market has 2.1 million active users. Last year, sales exceeded $273 million.
But the function is potentially dangerous because it can also transfer rights to other users. And in fact, as of October 2021, the setApprovalForAll requirement was also used in the OpenSea flight market. Users do not always know what permissions they are granting by signing such a request. As the transaction does not come from outside but from the market place itself, it only rarely arouses the mistrust of users.
CPR security researchers developed an SVG image and tagged it with malicious code. When the image was clicked, a message appeared stating that a new address had been discovered and needed to be added to the address book. If the user now presses the “Confirmation” button, the routine goes through all the NFTs in the wallet and gives the attacker full access.
CPR has published full technical details here: https://research.checkpoint.com/2022/check-point-research-detects-vulnerability-in-the-rarible-nft-marketplace-preventing-risk-of-account- take- theft of over-and-cryptocurrency/
Check Point Research invests considerable resources in the area of conflicts between cryptocurrencies or crypto-assets and computer security, underlines Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software Technologies. In this framework, security researchers always observe great efforts by cybercriminals trying to make big profits from cryptocurrencies. this is especially true for NFT marketplaces, like OpenSea last October or now with Rarible. When it comes to security, there is still a big gap between Web2 and Web3 infrastructure, Vanunu warns:
Any small vulnerability opens a backdoor for hackers to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols do not have good security practices.
Oded Vanunu, Check Point Software Technologies
The consequences are sometimes significant: millions of dollars have been stolen from users of marketplaces combining blockchain technologies. It currently anticipates a further increase in such flights. Therefore, the CPR will continue to explore the security implications of new blockchain technology.
CPR recommends that caution and vigilance be exercised when receiving signature requests on such marketplaces, including within the marketplace itself. Before approving a request, users should carefully review what is being requested and determine whether the request is unusual or suspicious. If in doubt, they should deny the request and consider it further before granting approval. Users are also advised to complete token approvals at this link checked and, if in doubt, revoked.
Additionally, Vanunu has a second trick that can be used to limit potential losses. He recommends using two types of wallets. One for most cryptocurrencies and another commonly used for transactions. If only the transaction wallet were attacked, most of the crypto assets in the other “wallet” would remain unchanged. hj