When a user purchases an NFT object, he purchases its identifier rather than an actual image. This unique identifier leads to the Interplanetary File System and this node is run by the company from which a user purchases an NFT. So, in case the company that is minting NFTs experiences a serious hack or decides to exit from the market, a user will lose access to his NFT object or there is a risk that the value of the purchased NFT may drop to zero.
The lack of adequate identity verification may result in a high number of fake artworks sold on NFT marketplaces. In case an NFT is stolen, its real creators have to prove ownership of this artwork. One of the reasons behind the issue of identity verification is the lack of interaction between marketplaces. There is no large database in the industry that would be used by marketplaces for identity verification purposes.
Although 2021 was the year of decentralization, many users interact with NFTs through centralized platforms such as OpenSea and Nifty Gateway. These centralized platforms are responsible for storing private keys. As a result, any serious attack against the NFT marketplace may result in users’ disability to access their NFTs.
The biggest NFT security concern is attributable to the underlying smart contract. The list of main smart contract risks includes DoS attacks, reentrancy attacks, and front-running.
NFTs are used by malicious actors as a simple method to make users connect their wallets. As a result, by signing suspicious transactions via their wallets, victims give hackers access to their funds. Malicious NFTs can be sent to victims during airdrops or similar events when users may be offered NFTs from non-verified projects for doing almost nothing.
Currently, users are not fully aware of security risks associated with dealing with NFTs. For example, in January 2022, scammers attacked the supporters of the project CryptoBatz. Malicious actors used the old URL address of the project and created a fake Discord server. The previous social media posts made by the project contained old URL addresses directing users to a phishing website where they were asked to verify ownership.
Malicious actors benefit from the possibility to convert real-life valuable artworks into NFTs without any consent from their authors. Although malicious actors do not have any legal and moral rights to sell these NFTs, due to the heavily unregulated nature of the industry, there are no forces limiting their ability to sell these NFTs.
Yes, like other virtual assets, NFTs can be stolen. Smart contract vulnerabilities may enable a malicious actor to mint NFTs without the consent of a marketplace. Through social engineering techniques, malicious actors can make users transfer their NFTs to malicious addresses.
Hackers exploited the backend vulnerability of the marketplace. Hackers purchased NFTs at lower (previous prices) and then resold them at higher prices. More than 300 ETH (>$700K) were made by attackers as a result of this hack. Even if the old NFT listing was removed from the main web portal, the older listing was still available through OpenSea API. The vulnerability may be attributable to OpenSea’s decision to use a dual on-chain and off-chain setup leaving gaps in how listings were treated. Thus, users who update the prices of their NFTs should consider moving them to a new wallet.
The project’s Discord server was hacked and users received a scam link. The project demonstrated immediate reaction to the incident but the wallets of a few users were wiped out.
In January 2022, the project experienced a denial-of-service attack. The project experienced the attack a few hours after its launch. Even after the site had been restored, users were still facing issues when trying to connect their wallets.
In January 2022, the Sports NFT minting platform Lympo experienced a hot wallet data breach resulting in the loss of $18.7M. 10 different wallets were compromised.
In December 2021, a scam link was sent to users through the project’s Discord channel. Users lost $150K in Solana tokens. Hackers exploited users’ willingness to mint NFTs, buy tokens when they would be first created by the project. A few hours before the incident occurred, the project had announced its intention to carry out an airdrop of NFTs among users. Hackers utilized the webhook technique to post fraudulent messages. There is a risk that the project did not take appropriate measures to secure the webhook.
As a result of the exploitation of the smart contract limiter, one user managed to mint 1,000 NFTs. The malicious user was minting NFTs through the smart contract on Etherscan rather than the official website. The malicious individual created his own smart contract that was interacting with the project’s one. His smart contract utilized the MEV bribe mechanism to hijack entire blocks and ensure the processing of transactions facing extremely low fees. Then malicious actor started selling some of the minted NFTs on the OpenSea marketplace.
NFT smart contracts may seem to be more secure compared to smart contracts for fungible tokens since their code is simpler and the NFT ecosystem is not so complex compared to the DeFi one. The hacks were mostly attributable to the mistakes made by users when trying to minimize expenditures associated with paying gas or trying to find ways to get NFTs almost for free. However, these mistakes might have been avoided if projects had paid greater attention to auditing their smart contracts. Projects deployed the smart contracts, the functionality of which enabled non-malicious exploitations.
Smart contract audit allows a project to identify any features in the code that may potentially enable manipulations resulting in the damaged reputation of loss of assets. A smart contract audit may allow the code to work more efficiently thereby allowing a project to demonstrate higher performance.
During the smart contract audit of an NFT project, auditors test the code against such flaws as denial of service attacks, gas limit issues, reentrancy attacks, insecure random number generation, overflows and underflows, etc. Each identified vulnerability is given its severity level so that a project can realize what issue to fix immediately.
When deciding about a provider of smart contract auditing services, NFT projects should first of all look at the expertise and reputation of a company and consider the list of projects that have been already audited by this company. In case there are many NFT projects among the provider’s clients, then the project may consider applying for an audit performed by this provider.
The results of the smart contract audit depend not only on the professionalism of a provider but also on the full understanding of the project’s team of the code functionality.
Apart from focusing on smart contract security, a project should organize regular educational campaigns for users teaching them how to securely manage their virtual pieces of art. Namely, users should use multi-factor authentication when possible and check the details of every transaction involving NFTs before signing it via their wallets.
The examples of NFT audits can be found on the website of a service provider. For example, when opening the hacken.io website, you can find examples of recent audits in the “Audits” section. Also, you can check whether a particular project has passed an audit by visiting its page on CoinMarketCap. In the section “Audits” you can find the reports attached in case a project has passed an audit performed by the provider recognized by CoinMarketCap.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.