Flaw in Rarible NFT Market Allowed Theft of Crypto Assets

A security flaw in the Rarible NFT (non-fungible token) marketplace allowed threat actors to use a relatively simple trick to steal digital assets and transfer them directly into their wallets.

Rarible is a community-centric NFT marketplace that offers up to 50% in royalties, having 2.1 million registered users, hundreds of millions U.S. dollars in annual trading volumes, and support for three blockchains.

The dangerous flaw in the marketplace was discovered by analysts at Check Point, who worked with Rarible to implement a fix.

However, users who have already fallen victim need to check for and revoke the token approvals they granted via past fraudulent transaction requests.

Also Read: National Cybersecurity Awareness Campaign of Singapore: Better Cyber Safe than Sorry

Hiding code inside NFTs

The problem stems from the intrinsic risk on the “setApprovalForAll” function that is part of the NFT EIP-721 standard, which gives complete control of the NFT assets to someone else.

By forging a transaction request that appear to be innocuous and asking the asset holder to sign it, phishing actors snatch their target’s NFTs or even assume wallet control without any alert to the victim.

The security flaw in Rarible is that the platform allowed users to upload media files of up to 100MB without reviewing them for potentially malicious content.

Based on that, Check Point’s researchers figured they could create an SVG image hiding a malicious JavaScript payload and upload it to Rarible as an NFT for sale.

Clicking on the NFT image or on the IPFS link, would trigger code execution that results in the target receiving a “setApprovalForAll” transaction request on their browser.

Assuming that the victim is careless or doesn’t quite understand what the transaction is about, they may approve the request, giving the attacker access to their entire collection.

From there, the hackers may use the “transferFrom” action and simply steal the NFTs, transferring them to a wallet under their ownership. As in all blockchain transactions, this action is non-reversible.

Also Read: Revised Technology Risk Management Guidelines of Singapore

Check Point’s report mentions a real-world abuse case targeting Taiwanese celebrity Jay Chou, who recently lost a $500,000-worth “Bored Ape” NFT to a transaction signature scammer.

How to protect your assets

It is important to underline that Rarible isn’t the only marketplace with this specific flaw, as Check Point discovered a very similar problem on OpenSea last year.

Essentially, the problem lies in the NFT transaction standard and the ambiguity of the signature requests that make it challenging for asset holders to evaluate their authenticity and actual scope.

For this reason, whenever you receive a request to sign anything, examine it thoroughly to determine what’s involved. If you have doubts, don’t authorize the transaction.

Users are advised to use this token approval checker to review their previous approvals and revoke those that seem fraudulent.

Due to the way these attacks work, there’s often a delay between access approvals and asset transfer, so there may still be time for some victims.

As pioneering as blockchain tech may be, the aspect of protecting user assets is still lagging behind, so investors need to be extra cautious with everything.

Update 15 April: A spokesperson from Rarible has sent Bleeping Computer the following statement:

Having thoroughly analyzed the report provided by Check Point, our team has come to the conclusion that the identified vulnerability does not directly affect Rarible.com users, their wallets and their data.

The vulnerability could potentially affect users only in case they deliberately leave Rarible.com for a third-party resource with malicious content, and consciously sign suggested transactions with their wallets. Simply clicking the link is not enough and user interaction and confirmation for transactions is required.  

Despite the fact that Rarible.com users and their funds are not directly affected by the vulnerability, our team is working on enhancing user security even on third-party resources. Rarible has been working closely with multiple cyber security teams including ChainSecurity to proactively ensure a safe experience for the NFT community.

We encourage users to stay vigilant, and pay attention to the websites they visit and transactions they sign to stay safe.