A security flaw in the Rarible NFT (non-fungible token) marketplace allowed threat actors to use a relatively simple trick to steal digital assets and transfer them directly into their wallets.
Rarible is a community-centric NFT marketplace that offers up to 50% in royalties, having 2.1 million registered users, hundreds of millions U.S. dollars in annual trading volumes, and support for three blockchains.
The dangerous flaw in the marketplace was discovered by analysts at Check Point, who worked with Rarible to implement a fix.
However, users who have already fallen victim need to check for and revoke the token approvals they granted via past fraudulent transaction requests.
Hiding code inside NFTs
The problem stems from the intrinsic risk on the “setApprovalForAll” function that is part of the NFT EIP-721 standard, which gives complete control of the NFT assets to someone else.
By forging a transaction request that appear to be innocuous and asking the asset holder to sign it, phishing actors snatch their target’s NFTs or even assume wallet control without any alert to the victim.
The security flaw in Rarible is that the platform allowed users to upload media files of up to 100MB without reviewing them for potentially malicious content.
Based on that, Check Point’s researchers figured they could create an SVG image hiding a malicious JavaScript payload and upload it to Rarible as an NFT for sale.
Clicking on the NFT image or on the IPFS link, would trigger code execution that results in the target receiving a “setApprovalForAll” transaction request on their browser.
Assuming that the victim is careless or doesn’t quite understand what the transaction is about, they may approve the request, giving the attacker access to their entire collection.
From there, the hackers may use the “transferFrom” action and simply steal the NFTs, transferring them to a wallet under their ownership. As in all blockchain transactions, this action is non-reversible.
Check Point’s report mentions a real-world abuse case targeting Taiwanese celebrity Jay Chou, who recently lost a $500,000-worth “Bored Ape” NFT to a transaction signature scammer.
How to protect your assets
It is important to underline that Rarible isn’t the only marketplace with this specific flaw, as Check Point discovered a very similar problem on OpenSea last year.
Essentially, the problem lies in the NFT transaction standard and the ambiguity of the signature requests that make it challenging for asset holders to evaluate their authenticity and actual scope.
For this reason, whenever you receive a request to sign anything, examine it thoroughly to determine what’s involved. If you have doubts, don’t authorize the transaction.
Users are advised to use this token approval checker to review their previous approvals and revoke those that seem fraudulent.
Due to the way these attacks work, there’s often a delay between access approvals and asset transfer, so there may still be time for some victims.
As pioneering as blockchain tech may be, the aspect of protecting user assets is still lagging behind, so investors need to be extra cautious with everything.