Cyber security software firm Check Point Research (CPR) has identified a vulnerability in NFT marketplace Rarible that could have seen any of its 2 million monthly users lose their NFTs in a single transaction.
Attackers Could Have Gained Full Access
CPR has previously identified exploits, among them the infamous hack of OpenSea in October 2021. According to CPR:
CPR identified a security flaw in Rarible, the NFT marketplace with over two million active users. If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and crypto tokens in a single transaction. CPR immediately disclosed findings to Rarible, who acknowledged the security flaw. CPR’s revelations mark the second time that their researchers discovered security flaws in an NFT marketplace. In October 2021, CPR found security issues in OpenSea, the world’s largest NFT marketplace.
Check Point Research
According to CPR, the exploit would have occurred when a malicious NFT within Rarible’s marketplace itself, where users are less suspicious and familiar with submitting transactions, and the exploit would have begun with the victim receiving a link to a malicious NFT who then clicks on it.
Attack Methodology
CPR has provided outlines of the attack methodology:
- Victims receive a link to the malicious NFT or browse the marketplace and click on it.
- The malicious NFT executes JavaScript code and attempts to send a setApprovalForAll request to the victim.
- The victim submits the request and grants full access to the NFTs/crypto tokens to the attacker.
CPR immediately disclosed the findings to Rarible, which has since acknowledged the security flaw and taken action against the attack.
NFT Thefts Rampant
Earlier this year, Crypto News Australia reported a flaw on multibillion-dollar GameFi company Illuvium that caused it to drain its liquidity pools. Had it not done so, the flaw could have ended in billions of dollars lost due to the flaw.
Disclaimer:
The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.
Credit: Source link