Researchers in the field of cyber-security have discovered a now-fixed vulnerability in the Rarible non-fungible token (NFT) market that, if exploited, could have resulted in the takeover of a user's account and the theft of cryptocurrencies.
Check Point researchers Roman Zaikin, Dikla Barda, and Oded Vanunu explained to Cybernari how an attacker can gain control of a victim's crypto wallet by tricking them into clicking on a malicious NFT.
An NFT marketplace, Rarible, has more than 2.1 million active users who can buy and sell digital NFT artwork such as photographs, games and memes.
Vanunu, Check Point's head of product vulnerabilities research, told that the security gap between Web2 and Web3 infrastructure is still "huge."
"Cybercriminals can steal cryptocurrency wallets secretly by exploiting even the tiniest of security flaws. As far as security is concerned, we're still waiting for marketplaces that combine Web3 protocols. Following a crypto hack, the consequences can be dire."
Malicious actors can gain access to a victim's NFTs by sending them a link to a rogue NFT (such as an image) that, when opened in a new tab, executes arbitrary JavaScript code, allowing the attacker to take complete control of the NFTs.
Using the setApprovalForAll API, Rarible is able to transfer sold items from the seller's address to the buyer's address based on the smart contract implemented.
This function is dangerous by design, the researchers said, because it allows anyone to control your NFTs if you are tricked into signing.
"Signing a transaction does not always make it clear to users what rights they are granting. As a rule, the victim assumes that these transactions are normal, when in fact, they are handing over control of their own NFTs to the thief(s)."
Fraudulent scheme allows the adversary to transfer all NFTs from the victim account, which can then be sold by the attacker for a higher price in market.
Prior to approving any kind of transaction, it is recommended that users carefully review the transaction request. By using Etherscan's Token Approval Checker, you can see and revoke previous token approvals.
It is important for NFT users to be aware that there are different wallet requests, some for connecting the wallet and others for access to their NFTs and Tokens, according to the researchers.
Post a Comment
Your suggestions and comments are welcome