Security researchers from Check Point Research (CPR) have discovered a security flaw in the Rarible NFT market. Exploitation could have resulted in the theft of each user’s NFTs and cryptocurrencies.
A simple fraudulent transaction would have sufficed. Immediately after discovering the vulnerability, CPR reported it to Rarible on April 5, who took note of the warning. Security researchers believe that the security hole should have been closed at the time of this report’s publication – but do not confirm this. Rarible is the second NFT marketplace where CPR has discovered a dangerous vulnerability, as security researchers found something similar in October 2021 in the world’s largest NFT marketplace OpenSea.
This time, experts were made aware on April 1 as the NFTs were stolen from Taiwanese singer Jay Chou and sold on the Rare Market for US$500,000. Chou was tricked into accepting a similar request, who then used a transaction to gain access to his BoardAppe NFT 3788. Rarible saw sales of $273 million in 2021 on his marketplace, making the platform one of most important in the market.
Oded Vanunu, Head of Product Vulnerability Research at Check Point Software Technologies, said, “CPR has invested significant resources in studying the intersection of cryptocurrency and computer security. We continue to see big efforts from cybercriminals trying to make big profits from cryptocurrencies and especially NFT markets. In October last year, we discovered critical security vulnerabilities in OpenSea, the world’s largest NFT marketplace. We have now found similar vulnerabilities in Rarible. In terms of security, there is still a big gap between Web2 and Web3 infrastructure.
Any small vulnerability opens a backdoor for hackers to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols do not have good security practices. The consequences of a crypto hack can also be extreme. We have seen millions of dollars stolen from users of marketplaces that combine blockchain technologies. I currently expect a further increase in such flights. Users should be careful. They currently have to manage two types of wallets: one for the majority of their cryptocurrencies and another for specific transactions only. However, if only the wallet of certain transactions is attacked, users may still not be able to lose everything. Either way, the CPR will continue to research the security implications of new blockchain technology.
The CPR recommends that caution and vigilance be exercised when receiving signature requests on such marketplaces, including within the marketplace itself. Before approving a request, users should carefully review what is being requested and determine if the request is unusual or suspicious.
If in doubt, they should deny the request and consider it further before granting approval. Users are also advised to check and revoke token approvals at this link: https://etherscan.io/tokenapprovalchecker.
You can get an overview here.