NFTs use smart contracts to track the ownership of unique and non-replaceable digital assets. Smart contracts enable users to create, own, identify, manage, and exchange these items without a centralized entity.
When users purchase NFTs, non-fungible tokens, they buy a unique identifier linked to the Interplanetary File System stored by the marketplace. Centralized storage comes with many potential risks, such as losing access to your ERC-721 token if the marketplace suffers a security breach or decides to exit the market.
Smart contract vulnerabilities in NFTs can also lead to security issues. These include DoS attacks, reentrancy attacks, and front-running. In addition, the industry’s lack of adequate identity verification has resulted in the sale of fake artwork.
One way to mitigate the risks is through conducting regular NFT smart contract audits. The audit process involves the code review, vulnerability analysis, and audit report to identify and address potential security vulnerabilities.
Project | Value Lost | Date |
---|---|---|
Lympo | $18.5M | January 2022 |
Dego Finance | $15.4M | February 2022 |
Bored Ape Yacht | $13M | April 2022 |
OMNI | $1.4M | July 2022 |
Rikkei Finance | $1.15M | April 2022 |
Marketplace Risks. When you buy and store digital artwork via a marketplace, you entrust a 3rd party with NFT security. Malicious actors take advantage of security vulnerabilities in NFT Marketplaces to steal funds or gain unauthorized access to your assets. Examples include OpenSea low-price exploit, Full Send Metacarrd, and Lympo hot wallet security breach.
Mint Exploit or Another Smart Contract Vulnerability. NFTs deployed to Ethereum follow a token standard called ERC-721, in addition to ERC-998 and ERC-875 smart contract standards. Other blockchain networks accept these standards: BNB Smart Chain has BEP-721, while Tron has TRC-721.
The problem with smart contracts is unintended vulnerabilities. Since contracts are public, hackers can carefully study them and exploit them to steal tokens.
Vulnerabilities are errors in high-level code, such as Solidity, Vyper, or Rust. A smart contract runs in a virtual environment like EVM that compiles the input from these programming languages in low-level bytecode. Any error in your Solidity code will result in an undesired behavior of the entire contract.
Moreover, problems don’t stop there as contracts often call each other. A mistake in one contract can crash the whole app or even 3rd parties that rely on it. The most common issues:
Attacks exploiting these vulnerabilities often come from different vectors and involve flash loans. The reentrancy attack of OMNI protocol did just that to steal a whopping $1.4 million. Only an NFT smart contract auditing by a reputable external auditor can verify that your high-level Solidity or Rust code is free of errors.
Social Engineering Stealing Private Key. Hackers use every tick in the social engineering book to get users’ private keys. People underestimate phishing risks, but that’s a mistake. In most cases, phishing is augmented by insufficient access control or faulty 3rd party apps. Users are especially vulnerable to phishing attacks at times of NFT airdrops announcements.
In January 2022, scammers conducted a careful social engineering attack against the CryptoBatz fanbase. They created a fake Discord server using the project’s old URL address. The earlier social media posts had an old URL address, directing users to a phishing website. Victims didn’t even realize they gave away private keys to a scam. In another high-profile example, someone created a fake website to hijack traffic from the BAYC airdrop, tricking users into connecting their wallets to hackers.
Rug Pulls. When discussing social engineering, it’s vital to mention rug pulls. Rug pulls are prevalent: 2022 was full of scamming projects, such as AniMoon, Frosties, Boren Bunnty, and Big Daddy Ape Club. These scams have led to millions in stolen value. In most cases, founders run off with users’ assets. While rug pulls are not technically hacks, they result in unintended losses. Thus, you better learn how to avoid them.
Bad actors use NFTs to trick users into connecting their wallets and signing malicious transactions, giving hackers access to their funds. Malicious actors also digitize valuable artworks without authors’ consent, selling them despite having no legal rights. The whole industry is largely unregulated, enabling anyone with evil intent to operate unchecked.
Ethereum created a non-fungible token standard with the ERC-721 proposal in 2018. Since then, NFTs have taken over other blockchain networks. Here’s the list of top blockchains:
Azuki’s Twitter Hack (January 2023): The attacker hacked a Twitter account of the popular anime NFT collection and spread the phishing link among followers. It’s the second case since April 2022 where hackers exploited poor access control to Azuki’s social media.
OMNI Real Estate Exploit (January 2023): The Omni Real Estate token deployed on BNB smart chain suffered an exploit of several code issues. The weaknesses related to the integer overflow/underflow and improper argument validation.
n00dleswap Reentrancy (October 2022): The hacker exploited a reentrancy vulnerability in the smart contract of the DEX deployed on Ethereum.
OMNI Reentrancy (July 2022): Users lost over $1.4 million in a massive reentrancy attack on the Ethereum-based NFT finance protocol. The attacker also used a flash loan to increase their buying power.
Bored Ape Yacht Club Fake Airdrop (April 2020): One of the biggest phishing scams with a fake airdrop. The scammer tricked victims into transferring NFTs worth $13 million.
OpenSea Low-Price Exploit (January 2022): Hackers exploited a back-end vulnerability and purchased NFTs at lower prices. They resold them for more than 300 ETH, over $700K. The old listing was still accessible through OpenSea API.
Full Send Metacard Phishing (January 2022): Bad actors hacked the official Discord server. They spammed a scam link, wiping out a few user wallets.
LooksRare DDoS Attack (January 2022): Hours after its launch, the NFT marketplace experienced a denial-of-service attack, and users faced connection issues even after restoring the site.
Lympo Hot Wallet Security Breach (January 2022): The Sports NFT platform Lympo experienced a hot wallet data breach, losing $18.5M from 10 wallets.
Fractal Discord Hack (December 2021): A scam link was sent through the project’s Discord channel, resulting in users losing $150K in Solana tokens. Utilizing the webhook technique, hackers capitalized on Fractal’s announced NFT airdrop.
The Sevens Minting Exploit (September 2021): Going straight to Etherscan (rather than the official website), a rouge user created their smart contract to exploit a mint limiter. The attacker minted 1,000 tokens and sold some on the OpenSea marketplace.
Despite the simplicity of NFT smart contracts and the early stage of the ecosystem compared to DeFi, these non-fungible tokens based on the ERC-721 standard are not immune to security breaches.
Many hacks are attributable to user error: trying to minimize gas fees or seeking to acquire them cheaply at the expense of NFT security. However, marketplaces could have prevented many of these incidents had they been auditing NFT smart contracts. Regular NFT audits can identify potential vulnerabilities and ensure that the deployed NFT smart contracts function as intended. Only security-first mindset prioritization can mitigate risks and protect users’ assets.
Smart contract audit allows a project to identify any features in the code that may enable manipulations resulting in a damaged reputation or loss of assets. Crypto audit may also improve efficiency and performance by removing errors and optimizing code.
During the smart contract audit process, auditors test the code against denial of service attacks, gas limit issues, reentrancy attacks, insecure random number generation, overflows, underflows, and logic flaws. Smart contract auditors conduct an extensive vulnerability analysis giving all security vulnerabilities their severity level. As a result, the final audit report is a straightforward call to action regarding what issues to fix.
Choose the auditor based on expertise and reputation. Consider the company’s past customers. You can view the public NFT audit reports on Hacken’s website. CER.live, CoinGecko, and CoinMarketCap recognize every audit report.
Learn the basics of securely managing your digital artwork and in-game collectibles:
NFTs can be stolen through smart contract vulnerabilities and social engineering. Vulnerabilities can enable mounting NFTs without consent, while social engineering tricks can get users to transfer them to malicious addresses.
Smart contract auditors can play an important role in protecting NFTs by conducting regular security assessments and recommending improvements. To reduce the risk of NFT hacks, users must stay informed about the latest security threats and take proactive steps to secure their NFTs.
Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.
Table of contents
Tell us about your project
10 min read
Discover
6 min read
Discover