Earlier this month, Check Point Research alerted NFT marketplace Rarible.com regarding a major security flaw on the platform. The research team then worked closely with Rarible.com to install an immediate fix. This could have been a major heist if it was exploited, as the threat actor can steal a user’s NFTs and crypto tokens in a single transaction.
Malicious NFTs Hiding in Plain Sight
Earlier this month, Taiwanese singer-songwriter and producer, Jay Chou had his Bored Ape and other NFTs swept away in an NFT heist. This motivated Check Point Research (CPR) to unearth similar threats hiding in plain sight. Fortunately, the team discovered the malicious NFTs on Rarible.com before it could be exploited. Such threats are worse than phishing attacks as users usually lower their guard on trusted marketplaces such as Rarible.com.
According to CPR, the NFT has an EIP-721 token standard, which provides basic functionality to track and transfer NFTs. However, this standard also has a function called ‘setApprovalForAll’, where 3rd parties like Rarible.com and OpenSea can control digital assets on behalf of the users. As users typically do not read the details when they sign a transaction, they could have easily signed away all their assets to the hacker.
Official Response by Rarible.com
After the event, the Rarible team released an official statement. It mentions that the identified vulnerability does not directly affect Rarible.com users, their wallets and their data. Instead, the vulnerability only affects users if they deliberately leave Rarible.com for a third-party resource with malicious content, and consciously sign suggested transactions with their wallets. Simply clicking the link is not enough, the exploit requires user interaction and confirmation for transactions.
Since then, the team has been working closely with multiple cyber security teams including ChainSecurity. This is to proactively ensure a safe experience for their community.
Check Point Research Safety Tips
CPR is a research team that provides leading cyber threat intelligence to their clients and the crypto community in general. In essence, they collect and analyze global cyber attack data stored on ThreatCloud. CPR will continue to discover new cyber threats and develop the threat intelligence community to protect the entire industry.
After this recent discovery, the company strongly recommends the following precautions. Firstly, users should always be careful and aware whenever they receive requests to sign any links. This applies to any marketplace and crypto exchanges. Before signing anything, users need to review the request and determine if it can potentially be malicious.
It can be tempting to quickly sign a request when you’re in the middle of a gas war. Nevertheless, users should reject a request if there is the slightest bit of suspicion, and only accept after adequate examination. Lastly, the Ethereum Token Approval facility allows users to review and revoke any past token approvals to secure the accounts.