Hackers could have lured victims into clicking on a malicious NFT (Non-Fungible Token) leading to account compromise and the loss of funds in the account, CPR researchers said. CPR immediately reported the flaw to Rarible, which installed a quick fix.
Dangerous “setApprovalForAll” Function
NFTs have an EIP-721 standard that provides basic functionality for tracking and transferring them across marketplaces. The standard has a function named “setApprovalForAll.” The function is “very dangerous by design,” because if a user is tricked into signing it, it may allow anyone to control the NFT process, researchers said. NFT users usually do not pay attention to what permissions they are signing over in a transaction because they assume it is safe by default, researchers wrote. To test this case, researchers created NFT art with malicious scripts such as JSON-RPC and the “tokennfttx” API within, such as an SVG image, and uploaded it. NFT art files can be anything that ends with the file extensions: PNG, GIF, SVG, MP4, WebM, and MP3.
Hackers Could Have Gained Full Access
Researchers then simply uploaded the malicious NFT to the Rarible marketplace, which when clicked loops through the victim’s NFTs and sends the “setApprovalForAll” transaction to the victim’s wallet. Once the victim approves, the hacker now has full access to a certain set of the victim’s NFTs, which can be transferred to their account using the “transferFrom” action on the NFT contract. The same “setApprovalForAll” request technique was used on famous Taiwanese singer Jay Chou. As a result, hackers got full access to Chou’s “BoardApe” NFTs. The hacker then transferred Chou’s NFTs to a separate wallet and sold them for $500,000, researchers wrote.
NFT Marketplaces Are an Easy Target
Non-Fungible Tokens are a new, disruptive arena in the world of digital assets. Because of that, marketplaces have not yet fine-tuned their security well enough. Just last month, the largest NFT marketplace on the web OpenSea NFT marketplace was hacked, resulting in the theft of $1.7 million in NFTs via cybercriminal phishing techniques. It is important to add that, cryptocurrency scams are quite similar to NFT scams, as both assets operate in the same space.
Checkpoint’s Security Tips
CPR researchers remind NFT aficionados that they should be very cautious about wallet requests, because some of these requests may provide attackers full access to their NFTs and Tokens. To protect themselves from scenarios like this, users should:
Be cautious when receiving requests to sign any link within any NFT marketplace Review the content of a request and decide whether it seems abnormal or suspicious In case of any doubts, reject the request and examine it one more time before providing authorization
Token approvals can also be reviewed and revoked via Etherscan’s “tokenapprovalchecker.” While many investors expect NFTs to stay around for the long haul, researchers said that malicious actors are taking advantage of this early interest. “Threat actors know they have an open window right now to take advantage of, with consumer adoption spiking, while security measures in this space still needs to catch up,” CPR said. In the meantime, check out 2022’s best VPNs for crypto-trading which you can also use for NFT transactions. You may also want to educate yourself on cybercrime scams via our overview on phishing.