- Check Point Research identifies a vulnerability within the Rarible NFT Marketplace that allows attackers to take over cryptocurrency wallets
- By luring victims to click on a malicious NFT, an attacker can take full control of the victim’s crypto wallet to steal funds
- CPR immediately reported this flaw to Rarible, which acknowledged and installed a fix
- CPR urges users to remain aware and offers preventive actions
Background and responsible disclosure
Rarible is an NFT marketplace that enables users to create, buy, and sell digital NFT art like photographs, games, and memes. The company reported over $273 million trading volume in 2021, and more than 2.1 million users, making Rarible one of the biggest NFT marketplaces in the world as they also support 3 blockchains with over 400k NFT’s minted. In addition, Rarible provides NFT creators with a large earning potential through royalties, as these creators can earn up to 50% in royalties whenever someone resells their NFT on the secondary market.
Check Point Researchers found a design flaw within the marketplace that can potentially allow attackers take over users’ cryptocurrency wallets, by luring them to click on a malicious NFT, and take full control over their account, including the funds in it.
Check Point research immediately alerted Rarible about this potential risk, who then collaborated with our researchers, acknowledged the flaw and installed a fix.
Non-Fungible Token has a standard (EIP-721), which provides basic functionality to track and transfer NFTs. This standard has a function called setApprovalForAll. This function basically designates who is authorized to control all your tokens/NFTs, which is mainly created for 3rd parties like Rarible/OpenSea, etc. to control the NFT/tokens on behalf of the users.
This function is very dangerous by design because this may allow anyone to control your NFTs if you get tricked into signing it. It’s not always clear to users exactly what permissions they are giving by signing a transaction. Most of the time, the victim assumes these are regular transactions when in fact, they were giving control over their own NFTs.
Attackers use this kind of transaction usually in phishing attacks, but when it comes from the NFT marketplace itself, it is much more dangerous. We looked at the Rarible NFT marketplace which allows anyone to create and sell art. Art can be anything that ends with the following extensions: PNG, GIF, SVG, MP4, WEBM, MP3. Max size: 100 MB.
CPR decided to check the outcome of creating malicious art that contains code in it, for example, an SVG image. We created a simple SVG file and uploaded it with a simple payload, which looked like this:
What so great about wallet transactions is it doesn’t have to run under the same domain, so we don’t need any private information such as cookies, or sessions, all the victim needs is a wallet and the attacker will use the JSON-RPC to abuse it Our payload first checks what NFTs the victim has, by using Ethereum API “tokennfttx”:
Then we loop through all the NFTs, sending the setApprovalForAll transaction to the wallet.
In this example, we just focused on the BoredApeClub Contract:
By clicking on the confirm button, the attacker will have full access to all the NFTs the victim has under the desired contract ,which is full access to all the victim’s BoredApeClub NFTs:
The attacker can now transfer all the NFTs to his account by using the transferFrom action on the boardApeClub contract because the victim has ‘allowed’ him to do so:
This same attack vector was used in the first week of April, when an attacker tricked Jay Chou, a famous Taiwanese singer, songwriter, rapper, record producer, and actor. To click on a setApprovalForAll request which granted the attacker full access to Chou’s BoardAppeNFT’s 3738 NFT, this transaction can be seen here:
After Chou submitted the request and granted the attacker access to the NFT, the attacker transferred the NFT to the attacker’s own wallet 0xe34f004bdef6f069b92dc299587d6c8a731072da, and later Sold the NFT on the marketplace for $500,000.
NFT users should be aware that there are various wallet requests - some of them are used just to connect the wallet, but others may provide full access to their NFTs and Tokens.
How to protect yourself?
- CPR recommends being careful and aware whenever receiving requests to sign any link within the Rarible marketplace, or any other marketplace.
- Prior to approving a request, users should carefully review what is being requested, and consider whether the request seems abnormal or suspicious.
- If there are any doubts, users are advised to reject the request and examine it further before providing any kind of authorization.
- Users are advised to review and revoke token approvals under this link: https://etherscan.io/tokenapprovalchecker.
Blockchain innovation is fast-underway and NFTs are here to stay. Given the sheer pace of innovation, there is an inherent challenge in securely integrating software applications and crypto markets. Threat actors know they have an open window right now to take advantage of, with consumer adoption spiking, while security measures in this space still needs to catch up. The cyber security community must step up to help pioneering blockchain technologies secure the crypto assets of consumers.
*Disclamier: "The pages slugged ‘Press Release’ are equivalent to advertisements and are not written and produced by Industry Outreach Magazine journalists/Editorial." We do not hold any copyrights towards the content or image. Image source: Newswire