After Jay NFTs were stolen, researchers Roman Zaikin, DiklaBarda, and Oded Vanunu began investigating the EIP-721 standard commonly used in NFTs.
It turns out that fraudsters can lure users to click on a link to a malicious NFT, and then take control of the victim’s account through a function in the standard called setApprovalForAll, which can authorize anyone to control the NFT, designed to allow third parties such as Rarible and OpenSea Ability to control NFTs on behalf of users.
Once the function is authorized, the attacker can transfer all NFTs under the victim’s name to his own account by using the transferFrom function on the contract. The researchers say the feature is dangerous by design, and users don’t always know what permissions they’re giving by signing transactions. Most of the time, victims think these are just routine transactions.