A new report from Check Point Research exposes a security flaw within the Rarible NFT (non-fungible tokens) marketplace. The security flaw was immediately reported to Rarible, which acknowledged and installed a fix for the issue.
Rarible is an online platform where users can create, buy or sell NFTs. It has more than 2 million registered users, and the company reported over $273 million trading volume in 2021, making it one of the biggest NFT marketplaces on the web.
The security flaw in Rarible
The Non-Fungible Token Standard, EIP-721, allows the implementation of a standard API for NFTs within smart contracts. The standard provides basic functionality to track and transfer NFTs.
One of the functions listed in the standard is called setApprovalForAll (Figure A).
Researchers from CheckPoint explained that “this function basically designates who is authorized to control all your tokens/NFTs, which is mainly created for third parties like Rarible/OpenSea, etc., to control the NFT/tokens on behalf of the users.”
That function allows anyone to control a user’s NFTs if that user gets tricked into signing it. Since a lot of users do not really understand all the technical aspects of NFTs, they might sometimes give control over their NFTs while they thought they were just handling a regular transaction. Phishing attacks sometimes use this trick of luring victims into doing what seems to them as regular transactions while in fact they are giving their NFTs to an attacker. Yet it gets worse when it comes from the NFT marketplace itself.
The proof of concept for this NFT attack
That payload checks what NFTs the user has, using the function tokennfttx from the Ethereum API. The payload would then loop through all the NFTs, sending a setApprovalForAll transaction to the wallet (Figure B).
If the user clicked on the confirmation button, they would provide full access to all their NFTs to the attacker (Figure C).
The attacker would then be able to transfer all the NFTs to his or her own account.
Jay Chou had an NFT stolen by this attack
The same attack targeted successfully Jay Chou, a famous Taiwanese singer, who fell for the phishing and granted full access to his NFT to the attacker. Once the access was provided, the attacker transferred one NFT to another wallet and later sold it on the marketplace for about $500,000.
The business impact of this NFT-stealing attack
There are many uses for NFTs within companies, and some of them have immediately rushed to the NFT phenomena. The main use of NFTs for business is to promote brands by selling exclusive items to customers or fans. Some companies also offer NFTs to their customers as gifts. Another interesting use for branding is to use NFTs to help build new communities, in which users get social value by the number of NFTs they own.
NFTs can also be used as proof of attendance for events or trainings/certifications. People participating in the event would receive a unique token as a proof that they have indeed attended.
Those companies generally use popular NFT marketplaces to sell or handle their items (Figure D), which makes them vulnerable to the attack exposed in this article. The company’s account could be targeted by cybercriminals in an attempt to have the account grant full access to all its NFTs using the setApprovalForAll method exposed by CheckPoint, and have the tokens be transferred to other wallets before being sold.
How to protect your NFTs from this security threat
- NFT and blockchains are complex for most users, and that complexity is mostly due to users not really caring about how it really works. It makes attacks easier and helps cybercriminals to steal NFTs with a few social engineering methods. Users should read and understand more about blockchains and NFTs, in order to have sufficient knowledge to distinguish a scam from a legitimate request.
- Users should always carefully review any request they get and consider whether it seems suspicious or not.
- If any doubt subsists, users should reject the request or ask their cybersecurity department about it.
- Users should review and revoke token approvals when necessary.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.