Rarible vulnerability could have allowed theft of all NFTs from a user’s wallet

Security researchers at Check Point Research (CPR) discovered a vulnerability in the NFT marketplace Rarible. The exploit would have allowed an attacker to drain all assets from the wallet of any of the platform’s two million users in a single transaction.

A successful attack could be carried out using a malicious NFT on the platform. In such cases, users would be less suspicious and familiar with the process of sending transactions, experts noted.

CPR described the probable methodology of the attack as follows:

• The victim receives a link to a token containing a script or clicks it while browsing the marketplace;
• The JavaScript code being executed attempts to issue a setApprovalForAll request to the user;
• The victim approves it and grants the attacker full access to their assets.

According to the experts, their motivation to test OpenSea’s security for such an attack was that they had already faced a similar incident. On April 1, the Taiwanese singer Jay Chou was tricked into confirming a transaction, after which his NFT Bored Ape #3738 was sold on the marketplace for $500,000.

CPR also drew on the results of their study of the OpenSea marketplace in October 2021, during which they uncovered critical vulnerabilities.

According to the blog, on April 5 the company informed the Rarible team of its findings, which “acknowledged the bug and fixed it”.

Nevertheless, experts advised users to be cautious when receiving requests even on the marketplace itself. If in doubt, they recommended rejecting such offers.

In January, a vulnerability was discovered in OpenSea’s listing function, which allowed tokens to be purchased at a discounted price. Only one user, through the API of the marketplace on Rarible, obtained 347 ETH through the manipulation.

Total losses amounted to 750 ETH, which OpenSea reimbursed to customers.