Top NFT marketplace Rarible escapes exploit to a severe security flaw

Abeerah Hashim  - Associate Editor
Last updated: April 16, 2022
Share
Rarible security flaw
(Alamy)
  • A flaw in the Rarible marketplace could have exposed more than 2.1 million users to hackers.
  • The attackers could have stolen many assets belonging to the marketplace users through the vulnerability.
  • Users could’ve lost control of their wallets by clicking on a malicious NFT and signing away power to an attacker.

The increasing popularity of NFTs (non-fungible tokens) also comes with adverse effects as things stand. For instance, cybercriminals in the crypto space will do anything to exploit the latest cash cow. Moreover, since these NFTs platforms are also on the internet, developers and users should be meticulous to avoid compromise. Hackers are even more interested in discovering loopholes in these marketplaces to amass huge gains.

Recently, researchers discovered a terrible security flaw in the Rarible NFT marketplace that could’ve enabled hackers to steal users’ assets. Even though the team has successfully fixed the vulnerability, the exploits would have been massive otherwise.

Rarible design security loopholes 

Rarible is a marketplace that deals mainly in NFTs. The platform has more than 2.1 million users who regularly create, sell, and buy digital NFTs. Some products you can find on the marketplace include memes, photographs, and games. With many such users, any hack or attack could have resulted in a massive loss of assets. 

The setApprovalForAll API design would have helped compromise Rarible users. This feature enables Rarible to send all the sold items to a buyer’s address once the seller signs it according to the smart contract. According to security researchers, this function would enable an attacker to take control of a user’s NFT. Unfortunately, the victims might believe that the transaction is normal without knowing they’ve sold their rights to thieves.

So what the attackers would do is send the users a link to a fake NFT, which might be an image. Once their target opens the link, a JavaScript code will execute immediately, sending a “setApprovalForAll” request to the victims’ wallets. If the victim grants the request, the attacker will transfer NFTs out of their wallet and sell them on the platform.

Rarible still lacks security

According to a CheckPoint researcher, Vanunu, the marketplace still has a long way to go regarding its security. Even a tiny flaw in its design can enable attackers to take over users’ crypto wallets. Vanunu also emphasized that any marketplace using a part of Web3 protocols is not yet decisive regarding security. So any successful attack can result in devastating losses.

Therefore, users of the marketplace should always cross-check every transaction request before signing it. Also, they should never forget that many requests come with using NFT wallets. While most of them are the usual connection requests, some might lead to giving criminals control of the wallets.

So, anyone operating in the crypto space should be intentional when transacting with or on any platform. It’s worth noting that users can visit the Token Approval Checker tool of Etherscan to review and revoke previous token approvals. It is even better to use a reliable VPN for crypto transactions to stay safe. At its heart, the service will protect your activities from cybercriminals. It will mask your identity, location, and also your digital footprints.

Share this article

About the Author

Abeerah Hashim

Abeerah Hashim

Associate Editor

Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.

More from Abeerah Hashim

Comments

No comments.