Had the vulnerability been exploited, malicious actors could have stolen users’ NFTs and crypto tokens in a single transaction

Photo: REUTERS – Davide Bonaldo/Sipa USA

Leading Israeli-American software and security company Check Point announced it has recently identified a security flaw in NFT marketplace Rarible, which enjoys over two million monthly users and an annual (2021) trading volume of $273 million.

According to the company’s research arm, Check Point Security (CPS), had the vulnerability been exploited, malicious actors could have stolen users’ NFTs and crypto tokens in a single transaction, as they would have gotten full access to the victims' wallets.

The researchers believe that a successful attack could have originated “from a malicious NFT within Rarible’s marketplace itself, where users are less suspicious and familiar with submitting transactions.”An attack would have taken place via a link to a malicious NFT, which would then trick the victim into submitting a transaction request that would actually grant the attacker access to their tokens."

This MO is the same as the one used against famous Taiwanese Singer Jay Chou, who was duped out of $500 million in the beginning of the month. CPR credits this incident as its motivation to look into potential vulnerability investigation into Rarible.

Findings were immediately disclosed to Rarible, which acknowledged the flaw.

This is the second time Check Point Research (CPR) uncovered vulnerabilities in NFT marketplaces. In late 2021 it found security issues in OpenSea, the world’s largest NFT marketplace to date. In February of this year, a new OpenSea attack led to the theft of millions of dollars in NFTs.