Users could have lost all of their NFTs


The research arm of cybersecurity software company Check Point said it had identified a vulnerability in the Rarible NFT marketplace that could result in many of its roughly two million active monthly users losing their NFTs in a single transaction.

Check Point is a multinational IT security company founded in Ramat Gan, Israel in 1993, which also claimed to have detected issues related to malicious airdrops on OpenSea back in October 2021.

According to documents shared with Cointelegraph, Check Point Research (CPR) recently discovered that after clicking on it, malicious actors could send users a dubious link to an NFT that executes JavaScript code that “attempts to issue a setApprovalForAll -Send request to victim”.

If the link is clicked, the user grants full access to their wallets on Rarible. CPR stated that it immediately notified Rarible on April 5, with the platform promptly acknowledging and fixing the vulnerability:

“If exploited, the vulnerability would have allowed an attacker to steal a user’s NFTs and cryptocurrency wallets in a single transaction. A successful attack would have come from a malicious NFT within the Rarible marketplace itself, where users are less suspicious and familiar with submitting transactions.”

NFT theft

Speaking to Cointelegraph, Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software, said his team became interested in this type of scam after Taiwanese singer Jay Chou fell victim to a similar attack. Chou BoredApe #3738 NFT was stolen via a nefarious transaction earlier this month.

“When we saw that this NFT was stolen, it gave us the impetus to investigate further.” Such a vulnerability could also be possible on many other platforms, Vanunu said.

“Rarible quickly identified the vulnerability and fixed it by removing the option to upload SVG files. This ended the malicious NFT attack option,” confirmed Vanunu.

Related: Trezor investigates potential data breaches as users cite phishing attacks

Vanunu refused to estimate the potential loss of value the vulnerability could have caused, as it “could have been triggered on any user on the platform”. Notably, a similar attack on just a single wallet of DeFiance Capital founder Arthur0x last month resulted in a loss of around 600 ether ($1.86 million).

CPR urged users to be diligent every time they approve requests on NFT platforms and to verify them all via Etherscan’s request tracker during times of uncertainty.

Cointelegraph has reached out to Rarible for comment on the matter and will update the story when the company responds.