
Check Point Research discovered a security flaw in the Rarible NFT marketplace. The security flaw was immediately reported to Rarible, which acknowledged and installed a fix for the issue.
Rarible is an online platform where users can create, buy or sell NFTs. It has more than 2 million registered users, and the company reported over $273 million trading volume in 2021, making it one of the biggest NFT marketplaces on the web.
The EIP-721, NFT Standard allows implementation of a standard API for NFTs within smart contracts. The standard provides basic functionality to track and transfer NFTs.One of them is setApprovalForAll that designates who is authorized to control all your tokens/NFTs, which is mainly created for third parties like Rarible/OpenSea, etc., to control the NFT/tokens on behalf of the users.
This lead to a scenario of allowing anyone to control a user’s NFTs if that user gets tricked into signing it. Since a lot of users do not really understand all the technical aspects of NFTs, they might sometimes give control over their NFTs while they thought they were just handling a regular transaction.
The main use of NFTs for business is to promote brands by selling exclusive items to customers or fans. Some companies also offer NFTs to their customers as gifts.
NFTs can also be used as proof of attendance for events or trainings/certifications. People participating in the event would receive a unique token as a proof that they have indeed attended.
Companies generally use popular NFT marketplaces to sell or handle their items, which makes them vulnerable to the attack exposed in this article. The company’s account could be targeted by cybercriminals in an attempt to have the account grant full access to all its NFTs using the setApprovalForAll method and have the tokens be transferred to other wallets before being sold.