Check Point Research(CPR) recently identified a security flaw in one of the largest NFT marketplaces, Rarible. The flaw exposed two million active users of Rarible to possibilities of theft of their NFTs and crypto tokens.
The attack method outlined by CPR says that a user could receive a link to malicious NFT or find it on the marketplace. If the user clicks on it, the malicious NFT will execute a JavaScript code and attempt to send a ‘setApprovalForAll’ request to the victim.
Submitting this request will give the attacker complete control over the victim’s wallet, thus exposing all of their NFTs and crypto tokens.
CPR alerted Rarible on April 5, who then worked with CPR’s researchers and fixed the flaw.
CPR advises users to carefully review every request they give permission to. They also advise users to review and revoke token approvals via Etherscan’s request tracker.
CPR is the cyber threat research arm of Check Point Software. Its research team collects global cyber attack data stored on the ThreatCloud and analyzes it.
CPR states that its interest in Rarible arises from a similar attack on Jay Chou. He is a famous Taiwanese singer whose NFT was stolen and sold for 500K.
Since NFTs and the Metaverse concepts are still in their evolution stage, they are prone to cyber attacks and thefts. NFT marketplaces have to maintain a vigorous check and run tight security checks to protect user assets.
In January, Rarible launched a new order management tool developed where everyone can see and cancel their potentially risky sale orders on OpenSea.
