Check Point, an American-Israeli multinational that makes hardware and software for IT security, has discovered a security weakness in Rarible, a prominent NFT marketplace with over two million monthly active users.
Rarible has a security flaw.
According to CPR, if the issue had been exploited, a bad actor would have been able to drain both a user’s NFTs and cryptocurrency wallets in a single transaction.
Rarible is one of the most well-established NFTF markets. In 2021, it reported a trading volume of more than $273 million. As a result, platform users are “less suspicious and accustomed with submitting transactions,” according to CPR.
On April 5th, researchers at the firm notified Rarible of the discovery, and the NFT platform instantly acknowledged and remedied the vulnerability.
CPR outlines the attack method as follows:
“Victim receives a link to the malicious NFT or browses the marketplace and clicks on it.”
“The Malicious NFT executes JavaScript code and attempts to send a setApprovalForAll request to the victim.”
“Victim submits the request and grants full access to this NFT’s/Crypto Token to the attacker.”
After a prominent Taiwanese musician, Jay Chou, was a victim of a similar cyber-attack, CPR grew interested in these types of situations. Assailants allegedly stole Chou’s NFT and later sold it for $500,000.
Last October, the firm discovered serious security vulnerabilities on OpenSea, which may have allowed attackers to “hijack user accounts and steal whole cryptocurrency wallets by crafting malicious NFTs,” according to the firm.
It further advised users to proceed with caution when analyzing the information being asked. They should deny the request and investigate it further before issuing any form of authorization if it appears strange or suspicious.
Attacks on NFT Marketplaces are rampant.
The development comes just over a month after hundreds of NFTs were stolen in a series of transactions on the Arbitrum-based NFT marketplace TreasureDAO. The hostile organizations took use of a security flaw in the protocol to mint non-fungible tokens for free.
At the start of the year, the front-end of OpenSea was also used to target members of the Bored Ape Yacht Club (BAYC). The attacker was able to take roughly $750K worth of ETH, as previously reported.
Related Posts – Ferrari joins the NFT universe through a collaboration with a Swiss…
