Researcher: “setApprovalForAll” function in EIP-721 standard is very risky

On April 16th, after Jay Chou’s NFT was stolen, researchers RomanZaikin, DiklaBarda and OdedVanunu began to investigate the EIP-721 standard commonly used in NFTs and found that fraudsters can lure users to click on malicious NFT links, The victim’s account is then controlled through a function within the standard called setApprovalForAll, which authorizes anyone to control the NFT, and was originally designed to allow third parties such as Rarible and OpenSea to control the NFT on behalf of the user. Once the function is authorized, the attacker can transfer all NFTs under the victim’s name to his own account by using the transferFrom function on the contract. The researchers say the feature is dangerous by design, and users don’t always know what permissions they’re giving by signing transactions. Most of the time, victims think these are just routine transactions. (TheRegister)

Related Ad

Comments (No)

Leave a Reply