Rarible

Cyber security software firm Check Point Research (CPR) has identified a vulnerability in NFT marketplace Rarible that could have seen any of its 2 million monthly users lose their NFTs in a single transaction.

Attackers Could Have Gained Full Access

CPR has previously identified exploits, among them the infamous hack of OpenSea in October 2021. According to CPR:

CPR identified a security flaw in Rarible, the NFT marketplace with over two million active users. If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and crypto tokens in a single transaction. CPR immediately disclosed findings to Rarible, who acknowledged the security flaw. CPR’s revelations mark the second time that their researchers discovered security flaws in an NFT marketplace. In October 2021, CPR found security issues in OpenSea, the world’s largest NFT marketplace.
Check Point Research

According to CPR, the exploit would have occurred when a malicious NFT within Rarible’s marketplace itself, where users are less suspicious and familiar with submitting transactions, and the exploit would have begun with the victim receiving a link to a malicious NFT who then clicks on it.

Attack Methodology

CPR has provided outlines of the attack methodology:

Victims receive a link to the malicious NFT or browse the marketplace and click on it.
The malicious NFT executes JavaScript code and attempts to send a setApprovalForAll request to the victim.
The victim submits the request and grants full access to the NFTs/crypto tokens to the attacker.

CPR immediately disclosed the findings to Rarible, which has since acknowledged the security flaw and taken action against the attack.

NFT Thefts Rampant

Earlier this year, Crypto News Australia reported a flaw on multibillion-dollar GameFi company Illuvium that caused it to drain its liquidity pools. Had it not done so, the flaw could have ended in billions of dollars lost due to the flaw.

NFT marketplace Rarible has been quite busy in the past couple of months and has now announced the addition of Polygon NFTs as well as multi-wallet support. Polygon joins Ethereum, Flow and Tezos as part of the platform’s vision for multi-chain commerce.

Tezos joined Rarible in December and was integrated with Flow in November. Rarible’s biggest competitor and marketleader, OpenSea, supports Ethereum, Polygon and Klatyn, and added Polygon-based NFTs in October.

👝If you collect/create on multiple chains (or with multiple wallets on one chain), you'll love our multi-wallet profile.

It lets you add up to 20 (!) wallets from any Rarible-enabled blockchain (currently Ethereum, @flow_blockchain @tezos and @0xPolygon 👀) to one profile. pic.twitter.com/8wLh4DdWX9
— Rarible (@rarible) March 17, 2022

Polygon is a sidechain scaling solution for Ethereum that enables faster and cheaper transactions than the Ethereum mainnet. Unlike Ethereum, which uses energy-intensive proof-of-work, Polygon relies on the eco-friendlier proof-of-stake consensus model that remains backed by the security offered by Ethereum.

Rarible Aims to Clear ‘Roadblocks’

As Rarible’s co-founder Alexei Falin said, “We have enjoyed watching the NFT market grow rapidly throughout the past two years but acknowledge that there are certain roadblocks that exist within the space, including high gas fees and ecosystem limitations. As a top NFT protocol and marketplace we have a responsibility to solve issues related to NFT creation and consumption, which is at the core of our multi-chain vision.”

3/ You can now connect your @ethereum , @tezos , @flow_blockchain , & @0xPolygon wallets to a single profile so you can view & manage your #NFTs across all 4 chains all in one place. #Ethereum $ETH #tezos $XTZ #Flow $FLOW #Polygon $MATIC #NFTs
— jared.info | gasistoodamnhigh.eth (@JaredRonis) March 17, 2022

Rarible Rolls Out ‘Multi-Wallet’

The marketplace has also launched a multi-wallet profile feature on Rarible.com that lets users sign in with up to 20 wallets at a time across different blockchains. By doing so, users with multiple wallets across various supported ecosystems won’t have to constantly sign in and out when buying and selling NFTs on the platform.

Falin has said, “We have seen firsthand how inconvenient it is to log in and out of wallets that hold collectibles spanning blockchains. To streamline this process for our users, the multi-wallet profile can support collections across any Rarible-supported blockchain in one place, so you can access items with one simple click.”