Non-fungible tokens (NFT) are virtual assets trackable on blockchain and each virtual asset has a unique nature. The value of NFTs is determined by their attributes, special traits, minting number, and market demand.
The key characteristics of a non-fungible token are:
NFTs can represent a painting, football player, meme, emoji, and, generally, whatever you want. Non-fungible tokens constitute the rapidly growing technology that can promote further tokenization of the economy.
The creation of NFTs does not require any special background and, thus, anyone can create them, especially individuals who have experience of using cryptocurrencies.
The first step in creating non-fungible tokens is deciding on a blockchain network. Although Ethereum remains the most popular blockchain nowadays, the list of other blockchains supporting NFTs includes Polkadot, Tron, Cosmos, etc. Before choosing a blockchain network, a project should realize that certain exchanges and wallets operate only on specified blockchains.
Such platforms as Rarible, Opensea, and Mintable enable creators to launch their NFTs. Creators need to connect their crypto wallets to these platforms to start using them. After uploading and signing their pieces of art via the crypto wallet, these non-fungible tokens become listed on a platform.
Purchasing NFTs is not a complex transaction. The list of popular platforms selling non-fungible tokens includes OpenSea, Rarible, Mintable, SuperRare, Foundation, etc. You need to have some cryptocurrency assets (the size is specified by the platform you choose) on your wallet. Then choose the NFT you want to receive. Be informed that you will need to pay some gas fee, the amount of which depends on the network load at that moment.
The growing popularity of NFTs has promoted active discussions regarding NFT security. Since it is a novel technology, the level of NFT safety is not high enough to guarantee the absolute security of investors’ assets.
One of the main NFT risks threatening investors and projects is scams. Malicious actors impersonate popular platforms, exchanges, or wallets to steal users’ private data required to get access to their virtual assets and thereby affect NFT security.
A significant NFT risk is related to possible purchase of fake non-fungible tokens. Malicious actors may impersonate well-known creators and sell fake certificates of ownership. For example, this Summer, a collector known as Pranksy purchased fake Banksy NFT for 244,000 GBP. Thus, a serious NFT vulnerability is attributable to NFT trading. Artists even do not know that their works are sold without their consent. The fact that anyone can tokenize the content created by other people makes the question “Are NFTs safe” so actual for the global blockchain community.
NFT security heavily depends on the ability of centralized platforms to protect the private keys of all assets stored on them. Even when platforms apply the most advanced security measures, a serious NFT risk is related to the failure of their users to securely store their passwords and other private data by accessing which malicious actors can steal their non-fungible tokens.
In some cases, NFTs purchased by individual art lovers may become inaccessible. When a user purchases an NFT, he actually gets a reference to the file where the artwork is stored. This artwork is not actually logged into the blockchain, it can be stored anywhere. NFT platforms may decide to close their windows whenever they want. As a result, a user cannot display his file although it still exists.
NFT security also depends on the ability of users to apply critical thinking. Malicious actors like organizing so-called giveaways offering users NFTs for free. However, to participate in these giveaways users need to send the specified amount of cryptocurrency/ies. Of course, in most cases, users do not get any NFTs.
Are NFTs safe? – the underregulated industry environment makes users the only parties responsible for NFT security.
A serious NFT risk has a legal nature and may be referred to as the IP (intellectual property) problem. Traditional law governing intellectual property issues is not applicable to decentralized blockchain. Before buying an NFT, it is reasonable to identify whether its seller actually owns it. In some cases, malicious actors can sell photos of NFTs or mint NFT replicas. As a result, a user simply buys the right to use these NFTs rather than gets the intellectual property rights.
Data protection laws allow individuals “the right to be forgotten” and the right to rectify inaccuracies in their personal data. However, under blockchain technology and its immutable nature, a data controller cannot ensure the realization of this right.
Although non-fungible tokens are unregulated today, in case they exhibit the attributes of regulated investments, their owners may be subject to national and international obligations. The issuer has to prove that his virtual assets have a non-fungibility nature since otherwise, these assets may be treated as tokens or cryptocurrency and, as a result, financial regulations may be applied.
Issuers of NFTs may cooperate with an external technology provider to mint non-fungible tokens. The minting agreement concluded between these two parties has to outline providers’ responsibilities and assurance of the protection of IP rights and private data.
Thus, the breakthrough nature of NFTs is a key reason behind a high level of legal NFT security risks.
Smart contracts are used in NFTs to detail limitations on the circulation of these virtual assets and develop trust between parties involved in the trade of NFTs. When certain conditions are met, the specified actions occur.
There is a high level of smart contract NFT security risks in the market. In case the rights governing ownership are not clearly outlined in smart contracts, an NFT seller can lose his assets.
When projects fail to apply adequate smart contract security measures and do not pass regular audits, hackers can successfully exploit even minor vulnerabilities to steal assets. The attacks on smart contracts in the NFT world have intensified significantly for the last few months.
One of the main NFT security risks related to the exploitation of smart contracts is reentrancy attacks. This type of attack targets the fallback function of Ethereum contracts. These functions execute transactions that cannot be completed by other functions such as the ones with no supplementary data.
The attack begins with the mapping of some Ethereum-based balance to the hacker’s smart contract. Then a hacker utilizes the fallback function of their smart contract thereby calling the “withdraw” command from the targeted smart contract. When the targeted smart contract carries out the transfer before the balance is readjusted, then the depletion of the targeted smart contract can occur since the hacker can multiple times repeat the “withdraw” command. The victim of reentrancy attacks is a seller of NFTs.
Reentrancy attacks are mostly caused by the exploitation of the functions execution order in smart contracts. Thus, any vulnerability in smart contracts may cause a serious NFT risk.
Since NFTs are virtual assets, users need to follow cybersecurity recommendations similar to the ones applicable to cryptocurrencies. Users should apply multi-factor authentication wherever they can. A large number of recent hacks in the world of blockchain have been attributable to hot wallets. That is why users should try to store their long-term virtual assets, especially when speaking about a huge volume of assets, on cold (hardware) wallets that have no connection to the cloud and, thus, are not subject to cloud cybersecurity risks.
Since a significant NFT risk is associated with scams and phishing messages, users and investors should always double-check whether the information they get comes from official sources. In case users are not sure whether they communicate with the official representatives of a project, it is necessary to reach the project’s team through other official channels. NFT security heavily depends on the users’ ability to verify every piece of information they get.
Many NFT projects have built communities uniting many thousands or even more users in communication channels. However, these channels have become lucrative places for scammers who send links, images, or ads containing malicious code or other harmful content. So, users should avoid clicking on suspicious content submitted by strangers.
Users can lose their NFTs in case hackers steal their passwords or seed phrases. The safest way to store this confidential information is to use password managers or specialized applications such as hPass, functional and secure storage for seed phrases, passwords, private keys, and other private data.
It may also be reasonable for users for NFT safety purposes to use VPN services to encrypt their Internet traffic and hide IP addresses to secure all activities related to buying/selling/managing non-fungible tokens. An example of a VPN service that has proven its efficiency for users conducting activities involving cryptocurrencies is hVPN, the VPN service trusted by white-hat hackers.
In the context of NFT security, it is reasonable to mention the recently launched project OneArt (initially called ArtWallet) that strives to become a leading NFT&Metaspace ecosystem. This project is developing a multi-chain wallet with a special focus on security. The use of specialized solutions for storing NFTs may allow art lovers who are passionate about blockchain technologies to be sure of the security of their masterpieces since such solutions apply the best practices and expertise of recognized security experts when introducing protection measures to prevent malicious actors from stealing users’ NFTs.
Overall, the NFT market players should not underestimate the value of cybersecurity in this new industry.
Although NFTs like cryptocurrencies are referred to as virtual assets, there is a clear difference between them. The main distinctive feature of NFTs compared to cryptocurrencies is that they have a unique nature and cannot be replaced or traded with one another. Unlike cryptocurrencies, NFTs do not obligatorily have monetary value (innate value). NFTs cannot be divided into sub-tokens (they are indivisible). The concept behind NFTs provides for the possibility of fractional ownership but the asset nevertheless remains intact.
Generally, although NFTs differ from cryptocurrencies, they are also subject to serious security risks the scope of which is likely to keep on growing in the coming future due to the rising popularity of these virtual assets.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.