Check Point Research (CPR) discovered a vulnerability in the Rarible NFT market. This exploit would allow an attacker to withdraw all the assets from the wallet of any of the two million users in a single transaction.

A successful attack with a malicious NFT may have taken place on the platform. Experts noted that in this case, users are less suspicious and familiar with the procedure for sending transactions.

The possible attack methodology in CPR is defined as:

• the victim receives a link or clicks on the icon containing the script while navigating the site;
• The executed JavaScript code attempts to send a setApprovalForAll request to the user;
• The victim approves this and gives the attacker full access to their assets.

According to experts, they were motivated to check the safety of Rarible in case of such an attack, as they had encountered a similar incident before. On April 1, Taiwanese singer Jay Chou was tricked into confirming a transaction, after which NFT Bored Ape #3738 was sold on the market for $500,000.

In addition, CPR experts relied on the results of their work on the OpenSea market in October 2021, when they discovered critical vulnerabilities.

According to the blog post, the company reported its findings to the Rarible team on April 5, who “acknowledged the bug and fixed it.”

Still, experts advised users to be careful when taking requests, even on the trading platform itself. In case of any doubt, they recommended rejecting such offers.

Recall that in January, a vulnerability was discovered in the OpenSea listing functionality that allowed tokens to be used at a discounted price. only one of the users API The marketplace on Rarible scammed 347 ETH.

The total loss reached 750 ETH, which OpenSea reimbursed customers.