No menu items!

    Cyber Security Firm Discovers Critical Flaw in NFT Marketplace

    Check Point, an American-Israeli multinational providing hardware and software products for IT security has identified a security vulnerability in Rarible, a popular NFT marketplace with over 2 million users monthly.

    Security flaw in Rarible

    In a blog post, CPR stated that the flaw, if exploited, would have allowed a malicious actor to siphon off a user’s NFTs and cryptocurrency wallets in a single transaction.

    Rarible is a well-established marketplace in the NFTF sector. It had a total trading volume of $273 million in 2021. Hence, CPR mentioned that platform users are “less suspicious and familiar with submitting transactions.” Researchers at the firm alerted Rarible of the discovery on April 5th, following which the NFT platform acknowledged the flaw and fixed it immediately.

    CPR provided a detailed explanation of the attack technique.

    “Victim receives a link to the malicious NFT or browses the marketplace and clicks on it. Malicious NFT executes JavaScript and attempts to send a setApprovalForAll to the victim. Victim submits the request and grants full access to this NFT’s/Crypto Token to the attacker.”

    CPR was first interested in these cases after Jay Chou, a Taiwanese musician, was also attacked cyber-wise. Reportedly, attackers stole Chou’s NFT and later sold it for $500k.

    Interestingly, the firm also detected critical security vulnerabilities on OpenSea last October, which could have potentially enabled attackers to “hijack user accounts and steal entire cryptocurrency wallets by crafting malicious NFTs.”

    The requester was also advised to be cautious when reviewing the information. They should refuse to authorize any request that appears unusual or suspicious.

    Rampant Attacks on NFT Markets

    The development comes a little over a month after Arbitrum-based NFT marketplace – TreasureDAO – witnessed hundreds of NFTs being stolen in an exploit in a series of transactions. They exploited a security flaw in the protocol to create non-fungible tokens free of charge.

    OpenSea’s front-end was also exploited at the beginning of the year, which targeted Bored Ape Yacht Club (BAYC) holders. The perpetrator was able to steal approximately $750K of ETH, as reported earlier.

    Get latest news from African Startup ecosystem

    Latest stories

    You might also like...