Home News Researchers find security flaw in Rarible: Users could have lost all their...

Researchers find security flaw in Rarible: Users could have lost all their NFTs


Check Point‘s research arm said it discovered a flaw in the Rarible NFT marketplace that could have resulted in many of the marketplace’s roughly two million active monthly customers losing their NFTs in a single transaction.

Check Point, a global IT security business based in Ramat Gan, Israel, claimed in October 2021 to have discovered issues with malicious airdrops on OpenSea.

Check Point Research (CPR) recently uncovered that malicious actors might email users a suspicious link to an NFT that, when clicked, executes JavaScript code and “attempts to make a setApprovalForAll request to the victim,” according to papers.

When the user clicks the link, they give Rarible complete access to their wallets. According to CPR, it alerted Rarible on April 5, and the platform quickly acknowledged and fixed the security flaw:

“A threat actor may have used the vulnerability to steal a user’s NFTs and cryptocurrency wallets in a single transaction if it had been abused A successful assault would have come via a malicious NFT on Rarible’s marketplace, where consumers are less sceptical and comfortable with transaction submission.”

Rarible swiftly recognised the security problem

Oded Vanunu, Check Point Software’s Head of Products Vulnerabilities Research, said his team became interested in this type of fraud after Taiwanese star Jay Chou was the victim of one. Chou’s BoredApe #3738 NFT card was swiped in a shady transaction earlier this month.

“Seeing that this NFT had been stolen piqued our interest, so we decided to look into it more.” Vanunu believes that a similar flaw could exist on a variety of other platforms.

“Rarible swiftly recognised the security problem and resolved it by disabling the SVG file upload option. “The harmful NFT attack option was disabled as a result of this,” Vanunu said.

Vanunu refused to speculate on how much money could have been lost as a result of the security weakness, claiming that it could have “triggered on any user on the site.” A similar attack on DeFiance Capital founder Arthur0x’s single wallet last month resulted in a loss of around 600 Ether ($1.86 million).

In times of uncertainty, CPR advised users to be cautious when approving requests on NFT platforms, and to double-check everything using Etherscan’s request tracker.

Rarible integrated Tezos and added Ubisoft NFT support

Previous articleNorth Korea obsessed Ethereum dev gets 5 years for breaking sanctions
Next articleRappi, the No. 1 Latin America delivery app to accept crypto