Decidedly, the web3 is still far from the ideal world that we are promised. Check Point security researchers have just revealed an incredibly easy-to-exploit flaw in Rarible, a popular NFT marketplace. They showed that one could embed JavaScript code in an SVG image to create a malicious NFT. It is then sufficient for the hacker to send the victim a link to this NFT for this code to be executed.
In their demonstration, the researchers execute a “setApprovalForAll” type transaction, which gives the attacker a right of control over the victim’s NFTs. Admittedly, the latter must still manually validate this operation, but the screen presented does not really allow the associated risk to be entered. Once this operation has been validated, the pirate can proceed to the transfer of the NFTs, in complete peace of mind.
This attack is not theoretical. She was used to scam Jay Chou, a Taiwanese singer and actor. After clicking on such a link, he was stripped of a particularly prized NFT, namely a “Bored Ape”. Subsequently, the pirate sold this work for 500,000 dollars. The good news is that the loophole that allows this kind of attack to be carried out has since been closed.
Rarible is not the first marketplace to be confronted with these security issues. Last February, hundreds of NFTs unexpectedly changed ownership due to a protocol flaw. In October 2021, Check Point researchers had also observed phishing attacks on OpenSea users, with the aim of stealing NFTs. A scam that allowed hackers to amass millions of dollars. It’s a real jungle.
In recent years, the rise of NFTs (Non-Fungible Tokens) has brought about a new wave of excitement in the digital art world. However, with this excitement comes the potential for scams and fraudulent activities. It is important for individuals to be cautious and do their due diligence before investing in NFTs. There have been reports of NFT scams where individuals have been misled into purchasing fake or non-existent digital assets. It is crucial to thoroughly research the seller and the NFT before making any transactions to avoid falling victim to these scams. As the popularity of NFTs continues to grow, it is essential to stay informed and vigilant to protect oneself from potential fraud.