Check Point Discovers Further Vulnerabilities in NFT Trading and Crypto Currency

Google Chrome: Gepatchte Schwachstelle zeigt potenzielle Gefahr von Zero Day-Exploits

Vulnerability in the large NFT marketplace Rarible

The security researchers from Check Point Research (CPR) discovered a security vulnerability in the NFT marketplace Rarible. An exploitation could have led to the theft of the NFTs and crypto-currencies of each user. Only a fraudulent transaction would have been enough. Immediately after the discovery, CPR reported the vulnerability to Rarible on April 5, who took note of this warning. The security researchers believe that the vulnerability should have been closed at the time of publication of this message – but do not confirm this. Rarible is the second NFT marketplace in which CPR discovers a dangerous vulnerability, because the security researchers found something similar in October 2021 in the world’s largest NFT marketplace from OpenSea.

The fraudulent attack would have been launched by a contaminated NFT within the Rarible marketplace itself, which users classify as trustworthy. The fraudster’s target would receive the link to the contaminated NFT and launch the attack by clicking on it – or a user searches the marketplace and randomly finds this contaminated but harmless-looking NFT and clicks on it. The malicious NFT executes a JavaScript code, which then requests a release for everything, ApprovalForAll, from the user. If the user confirms this carelessly, he releases access to his NFTs and crypto tokens. Then the hackers could steal the victim’s wallets for NFTs and crypto currency with a transaction.

The experts became aware of this time on April 1, because the NFTs were stolen from Taiwanese singer Jay Chou and sold on the Rarible marketplace for $ 500,000. Chou was tricked and agreed to a similarly knitted request, which then allowed access to his BoardAppe NFT 3788 with a transaction. Rarible reported $273 million in revenue on its marketplace for 2021, making the platform one of the largest ever.

Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software

By Oded Vanunu, Head of Products Vulnerability at Check Point Software Technologies , explains: “CPR has invested considerable resources in investigating the intersection of cryptocurrency and IT security. We are still seeing a lot of efforts from cyber criminals who are trying to make big profits from cryptocurrencies and especially from NFT marketplaces. Last October, we discovered critical vulnerabilities in OpenSea, the world’s largest NFT marketplace. Now we have found similar vulnerabilities in Rarible. In terms of security, there is still a big gap between the Web2 and the Web3 infrastructure. Every little vulnerability opens a backdoor for hackers to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols do not have a solid security practice. The consequences of a crypto hack can also be extreme. We have seen how millions of US dollars have been captured by users of marketplaces that combine blockchain technologies. At the moment, I expect a further increase in these thefts. Users need to be careful. You currently have to manage two types of wallets: one for the majority of your cryptocurrencies and another only for certain transactions. However, if only the wallet for certain transactions is attacked, users may still be able not to lose everything. In any case, CPR will continue to explore the impact of the new blockchain technology on security.”

CPR recommends that you be careful and attentive when receiving requests to sign on such marketplaces, including within the marketplace itself. Before users approve a request, they should carefully consider what is being requested and consider whether the request seems unusual or suspicious. If in doubt, you should refuse the request and consider it further before granting approval. Users are also advised to revoke token approvals in case of doubt.

Software Outsourcing | Unreal Engine Development

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: