Security News > 2022 > April > Flaw in Rarible NFT market allowed theft of crypto assets
A security flaw in the Rarible NFT marketplace allowed threat actors to use a relatively simple trick to steal digital assets and transfer them directly into their wallets.
Rarible is a community-centric NFT marketplace that offers up to 50% in royalties, having 2.1 million registered users, hundreds of millions U.S. dollars in annual trading volumes, and support for three blockchains.
Hiding code inside NFTs. The problem stems from the intrinsic risk on the "SetApprovalForAll" function that is part of the NFT EIP-721 standard, which gives complete control of the NFT assets to someone else.
Clicking on the NFT image or on the IPFS link, would trigger code execution that results in the target receiving a "SetApprovalForAll" transaction request on their browser.
Check Point's report mentions a real-world abuse case targeting Taiwanese celebrity Jay Chou, who recently lost a $500,000-worth "Bored Ape" NFT to a transaction signature scammer.
Essentially, the problem lies in the NFT transaction standard and the ambiguity of the signature requests that make it challenging for asset holders to evaluate their authenticity and actual scope.