Vulnerability in the large NFT marketplace Rarible
The security researchers from Check Point Research (CPR) discovered a security vulnerability in the NFT marketplace Rarible. An exploitation could have led to the theft of the NFTs and crypto-currencies of each user. Only a fraudulent transaction would have been enough. Immediately after the discovery, CPR reported the vulnerability to Rarible on April 5, who took note of this warning. The security researchers believe that the vulnerability should have been closed at the time of publication of this message – but do not confirm this. Rarible is the second NFT marketplace in which CPR discovers a dangerous vulnerability, because the security researchers found something similar in October 2021 in the world’s largest NFT marketplace from OpenSea.
The experts became aware of this time on April 1, because the NFTs were stolen from Taiwanese singer Jay Chou and sold on the Rarible marketplace for $ 500,000. Chou was tricked and agreed to a similarly knitted request, which then allowed access to his BoardAppe NFT 3788 with a transaction. Rarible reported $273 million in revenue on its marketplace for 2021, making the platform one of the largest ever.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software
By Oded Vanunu, Head of Products Vulnerability at Check Point Software Technologies , explains: “CPR has invested considerable resources in investigating the intersection of cryptocurrency and IT security. We are still seeing a lot of efforts from cyber criminals who are trying to make big profits from cryptocurrencies and especially from NFT marketplaces. Last October, we discovered critical vulnerabilities in OpenSea, the world’s largest NFT marketplace. Now we have found similar vulnerabilities in Rarible. In terms of security, there is still a big gap between the Web2 and the Web3 infrastructure. Every little vulnerability opens a backdoor for hackers to hijack crypto wallets behind the scenes. We are still in a state where marketplaces that combine Web3 protocols do not have a solid security practice. The consequences of a crypto hack can also be extreme. We have seen how millions of US dollars have been captured by users of marketplaces that combine blockchain technologies. At the moment, I expect a further increase in these thefts. Users need to be careful. You currently have to manage two types of wallets: one for the majority of your cryptocurrencies and another only for certain transactions. However, if only the wallet for certain transactions is attacked, users may still be able not to lose everything. In any case, CPR will continue to explore the impact of the new blockchain technology on security.”
CPR recommends that you be careful and attentive when receiving requests to sign on such marketplaces, including within the marketplace itself. Before users approve a request, they should carefully consider what is being requested and consider whether the request seems unusual or suspicious. If in doubt, you should refuse the request and consider it further before granting approval. Users are also advised to revoke token approvals in case of doubt.