The increasing popularity of NFTs (non-fungible tokens) also comes with adverse effects as things stand. For instance, cybercriminals in the crypto space will do anything to exploit the latest cash cow. Moreover, since these NFTs platforms are also on the internet, developers and users should be meticulous to avoid compromise. Hackers are even more interested in discovering loopholes in these marketplaces to amass huge gains.
Recently, researchers discovered a terrible security flaw in the Rarible NFT marketplace that could’ve enabled hackers to steal users’ assets. Even though the team has successfully fixed the vulnerability, the exploits would have been massive otherwise.
Rarible design security loopholes
Rarible is a marketplace that deals mainly in NFTs. The platform has over 2.1 million users who regularly create, sell, and buy digital NFTs. Some products you can find on the marketplace include memes, photographs, and games. With many such users, any hack or attack could have resulted in a massive loss of assets.
The setApprovalForAll API design would have helped compromise Rarible users. This feature enables Rarible to send all the sold items to a buyer’s address once the seller signs it according to the smart contract. According to security researchers, this function would enable an attacker to take control of a user’s NFT. Unfortunately, the victims might believe the transaction is normal without knowing they’ve sold their rights to thieves.
So what the attackers would do is send the users a link to a fake NFT, which might be an image. Once their target opens the link, a JavaScript code will execute immediately, sending a “setApprovalForAll” request to the victims’ wallets. If the victim grants the request, the attacker will transfer NFTs out of their wallet and sell them on the platform.
Rarible still lacks security
According to a CheckPoint researcher, Vanunu, the marketplace still has a long way to go regarding its security. Even a tiny flaw in its design can enable attackers to take over users’ crypto wallets. Vanunu also emphasized that any marketplace using a part of Web3 protocols is not yet decisive regarding security. So any successful attack can result in devastating losses.
Therefore, marketplace users should always cross-check every transaction request before signing it. Also, they should never forget that many requests come with using NFT wallets. While most of them are the usual connection requests, some might lead to giving criminals control of the wallets.
So, anyone operating in crypto should be intentional when transacting with or on any platform. It’s worth noting that users can visit the Token Approval Checker tool of Etherscan to review and revoke previous token approvals. It is even better to use a reliable VPN for crypto transactions to stay safe. At its heart, the service will protect your activities from cybercriminals. It will mask your identity, location, and also your digital footprints.
