Star loses $500,000 NFT after crooks exploit Rarible market

This isn't the moving-fast-and-breaking-things future we wanted

Miscreants exploited a now-fixed design flaw in the Rarible NFT marketplace to steal a non-fungible token from Taiwanese singer and actor Jay Chou and sell it for about $500,000.

That's according to folks at Check Point, who on Thursday said the vulnerability could have been abused by crooks to gain full control of victims' marketplace accounts and the funds in them. Earlier this month, Chou said his NFT was stolen in what looked like a phishing attack.

When researchers Roman Zaikin, Dikla Barda and Oded Vanunu investigated the security shortcoming they found that fraudsters could lure users to click on a link to malicious NFT, enabling them to take control of their marks' Rarible accounts using a standard called EIP-721.

This standard is normally used to track and transfer NFTs, and includes a function called setApprovalForAll. That function authorizes who can control a user's tokens and was created primarily to enable third parties like Rarible and OpenSea to control tokens on behalf of the users, according to Check Point.

"This function is very dangerous by design because this may allow anyone to control your NFTs if you get tricked into signing it," the researcher trio said. "It's not always clear to users exactly what permissions they are giving by signing a transaction. Most of the time, the victim assumes these are regular transactions when in fact, they were giving control over their own NFTs."

Attackers tend to use these types of transactions in phishing attacks, but they become more dangerous when an NFT marketplace is involved. The threat hunters noted that Raribl lets anyone create and sell art, which can be anything that ends with a PNG, GIF, SVG, MP4, WEBM and MP3 file extension and a maximum size of 100MB.

So they created an SVG file with a simple payload. Anyone clicking on the art and opening it in another tab or by pressing on the IPFS link, a JavaScript payload would execute.

It's an easy lure because what's "so great about [a] wallet transaction is it doesn't have to run under the same domain, so we don't need any private information such as cookies or sessions," they wrote. "All the victim needs is a wallet and the attacker will use the JSON-RPC to abuse it."

The Check Point payload checked the NFTs the victim had, using the Ethereum API tokennfttx and the researchers looked at all the NFTs, sending the setApprovalForAll transaction to the user's wallet. By clicking on the "confirm" button, the user gives the attacker full access to all the NFTs under the contract sent by the attacker.

The attacker can then transfer all of the NFTs under the contract to their own account by using the transferFrom function on the contract because the victim has unwittingly allowed it.

Check Point alerted Rarible to the vulnerability and worked with the marketplace to create a fix. A spokesperson for Rarible was not available for immediate comment.

Easy pickings in nascent market

The flaw put a focus on how vulnerable the relatively nascent NFT and cryptocurrency sectors are to bad actors seeking a quick payday and the need for security measures to harden, according to the Check Point team.

"Blockchain innovation is fast underway and NFTs are here to stay," they wrote. "Given the sheer pace of innovation, there is an inherent challenge in securely integrating software applications and crypto markets. Threat actors know they have an open window right now to take advantage of, with consumer adoption spiking, while security measures in this space still need to catch up."

They said cybersecurity professionals need to develop new ways to better secure blockchain technologies to secure people's cryptocurrency assets.

The threat is out there. In February, 17 users of the OpenSea NFT marketplace were scammed out of $1.7 million in a phishing attack that allowed hackers to steal hundreds of NFTs. Another 15 users interacted with the attackers but didn't lose tokens.

Nick Donarski, founder and CTO of blockchain company ORE System, wrote in a column last month about the security issues surrounding NFTs.

"Each NFT comes integrated with a unique signature to verify its authenticity and uniqueness, as well as its chain of ownership, meaning that these assets (much like the cryptocurrencies they are bought with) are noninterchangeable," Donarski wrote. "However, no technology is inherently secure or infallible. Because NFTs are still a relatively new innovation, there are a number of risks associated with their creation, use, and trade."

The sheer demand for NFTs also makes them an attractive target. According to Check Point, Rarible has more than 2.1 million users and saw more than $273 million worth of NFTs traded in 2021. The marketplace also supports three blockchains with more than 400,000 NFTs minted. NFT creators also can earn up to 50 percent in royalties when someone resells their NFT on the secondary market.

The popularity of NFTs and cryptocurrency is being driven by non-technical people, "so even if the underlying technology is reasonably secure, threat actors can still fall back to phishing or social engineering to exploit their victims," Mike Parkin, senior technical engineer at Vulcan Cyber, told The Register.

Karl Steinkamp, director at cybersecurity advisory Coalfire, told The Register that companies in the digital assets space need to find a balance between fast innovation and security. Ethereum-based blockchains and technologies, like NFTs, tend to move swiftly and "often break stuff along the way," he said.

"On the other hand, we have bitcoin, that while it does innovate, it does so glacially and intentionally very slow," Steinkamp said. "Due to its upgrade processes, bitcoin is far more stable and resistant to attacks than other crypto assets."

Users need to be careful when receiving requests to sign any link within Rarible or other marketplaces, according to Check Point. Before approving any request, they need to understand what is be requested and whether the request seems suspicious.

If there are doubts, the user should reject the request. They can link to a token approval checker site to review and revoke token approvals. ®

Other stories you might like

  • Singapore promises 'brutal and unrelentingly hard' action on dodgy crypto players
    But welcomes fast cross-border payments in central bank digital currencies

    In the same week that it welcomed the launch of a local center of excellence focused on crypto-inspired central bank digital currencies, Singapore's Monetary Authority (MAS) has warned crypto cowboys they face a rough ride in the island nation.

    The center of excellence (COE) was established by the Mojaloop Foundation – an open source effort to create payment platforms to make digital financial services accessible to those without access to banks. The COE aims to "accelerate financial inclusion in emerging markets" through hackathons, workshops and pilot projects while examining expanded CBDCs payment capabilities."

    Singapore's sovereign wealth fund has invested in Mojaloop, and MAS chief fintech officer Sopnendu Mohanty serves as a board advisor and the authority provides representatives to the Foundation's working group, alongside folks from the Bill & Melinda Gates Foundation, Google, and more.

    Continue reading
  • Investors start betting against Bitcoin with short-trade products
    Some crypto-bros keep the faith in the face of market onslaught

    ProShares, the issuer of exchange-traded funds with around $65 billion under management, has launched the first short Bitcoin exchange-traded product in the US, offering a way for investors to make money from the ongoing cryptocurrency meltdown.

    Dubbed the ProShares Short Bitcoin Strategy, the ETF is set to launch on the New York Stock Exchange under the ticker BITI. Bitcoin declined to $17,601.58 over the weekend, according to Coin Metrics. It has lost 70 percent of its value since last November's highs.

    Speaking to the Financial Times, Nate Geraci, president of wealth management firm The ETF Store, said there would be "a rather robust market" for the short funds.

    Continue reading
  • Coinbase CEO cuts 1,100 jobs, warns of 'crypto winter'
    The buck stops with me, says Armstrong, but I still have a job

    Coinbase has axed 1,100 employees, cutting its workforce by 18 per cent, while the value of digital assets including Bitcoin plummet amid rising inflation rates in the US.

    CEO Brian Armstrong announced on Tuesday he was "making the difficult decision to reduce the size of [the] team ... to stay healthy during this economic downturn." As the largest US cryptocurrency exchange, Coinbase employed about 1,250 employees at the start of 2021, when novel blockchain-based technologies such as NFTs and stablecoins exploded, launching the current Web3 hype to new heights.

    But the glowing promise of getting rich from trading cryptocurrencies or cartoon apes is losing its shine, spelling bad news for Coinbase. Armstrong warned of a "crypto winter" as America looks set to enter a recession.

    Continue reading
  • Crypto market crashes on Celsius freeze, inflation news
    Not a good moment to look at that digi-coin portfolio, fam

    The cryptocurrency world is experiencing what can only be described as a meltdown, with prices plummeting today to lows not seen since the end of 2020.

    The plunge is likely due to several factors including general economic uncertainty as seen in the stock market, inflation, bearish conditions and loss of confidence in crypto-coins, and scared money and bots being spooked by whales selling.

    It definitely did not help that crypto-lending biz Celsius Network put a freeze on withdrawals, swaps, and transfers Sunday night. Soon after Bitcoin tumbled 10 percent, Ethereum lost 19 percent of its value, and fan-favorite Dogecoin shed nearly 15 percent of its value, or about $0.01, since then. 

    Continue reading

Biting the hand that feeds IT © 1998–2022