Non-fungible tokens are one of the newest and most popular applications of Web3 technology. Over the last couple of years, numerous collections have sold out within minutes and some of the most famous – like CryptoPunks and Bored Apes – traded hands for millions of dollars. NFTs are digital tokens that exist on a blockchain with an identifier that makes them immutable and unique at the same time. This relatively simple concept allows for various implementations that have the potential to impact various industries. While many people associate NFTs with their use as collectible JPEGs, there have been significant efforts to expand their usage to other areas.
The fact that each NFT is unique and cannot be deleted or modified enables a wide range of applications, some of which may not be immediately intuitive.
The key benefit of NFTs is right there in their name: non-fungible. This is another way to say unique, or unable to be reproduced. Since all the information related to an NFT is stored on a blockchain, this information can be publicly accessed and immediately verified. These exact properties are invaluable when applied to use cases such as certificates and ticketing, which help to eliminate counterfeits since the origin and exact original copy can be traced.
Another interesting application is the use of NFTs as “soul tokens” which represent the digital identity of a person. Since every person is completely unique, the use of a non-transferable NFT can be used as a Web3 digital identifier, almost like a digital passport.
The fact that NFTs are often minted as a part of a collection also finds application in fractional real estate investments, which allows users to invest in fractional shares of real estate without having to purchase the entire asset. Collectively, these shares represent the entire stake in a piece of property, like a Real Estate Investment Trust (REIT).
Even with all their promise and potential, it is still important that the community and projects be aware of the risks that are associated with working with NFTs.
With the growth of the NFT market, the sector is becoming an increasingly attractive target for hackers and bad actors. We’ve seen a number of examples of well-known celebrities shilling disreputable projects, while scammers are working hard to apply social engineering techniques to compromise the users’ private keys.
Phishing is a type of attack that tricks a person into revealing sensitive information via fraudulent messages. Attackers send fraudulent messages to target users trying to get the private key or cheat them into signing a malicious transaction, thus stealing their funds. Those attacks are more related to secure operations and preventable with good security awareness. Platforms ranging from Twitter, Telegram, Reddit, and Discord all have active communities related to NFTs. Phishing has become one of the most common ways scammers get their hands on NFTs. Phishing occurs when a malicious attacker sets up a lure in the form of a fake website or contract to collect valuable user data or steal user funds. These phishing attacks often target users who are new to the space and aren’t fully aware of the various attack vectors.
On December 21, 2021, the Discord group of Monkey Kingdom was hacked and users reported that their wallets had been drained. Around $1.3 million worth of SOL was lost in the attack. Upon investigation, it appears that the official admin account was compromised and deployed bots into the Discord channels that sent bogus links to users claiming to grant user access to a limited edition mint. Unsuspecting users connected their wallets to get access to the free mint but instead had their wallets drained.
On June 5, 2022, the famous project Bored Apes Yacht Club, also referred to as BAYC, announced a hack resulting in the loss of around $350,000 worth of NFTs. The community manager’s account was hacked and the attacker posted fake links to a mint on the official BAYC and related project Otherside’s Discord channels. Yoshi Labs, the team behind the project, took swift action and made a patch to resolve the issue.
As with many things on the internet, great caution must be taken when clicking on unknown links in various social media channels. Users should exercise caution and conduct proper due diligence before clicking on links that offer so-called limited edition mints or rare NFTs. It is important to review the information and access that a user is providing in order to claim the offer. If the offer requires the user signs off on unknown transactions or to provide access to sensitive account functions, these may be considered red flags. It may be prudent to check with various trusted parties to make sure an opportunity is legitimate.
Rugpulls, also called exit scams, are exploits where the owners create new NFT projects with no intention of delivering on the promises they make. Instead, they wait until the project has attracted enough liquidity for them to dump their holdings on the market and walk away. When the exploits occur at the level of the project’s team, it might sometimes be more difficult to discern the authenticity of the project due to a lack of information, especially with new projects. It is important for potential investors to thoroughly review the project and take a look at the project wallet transaction history to see if transactions seem legitimate. It can also help to speak to other members of the community on various social media channels to try to identify the authenticity of the project. CertiK’s KYC process can help protect influencers and users from associating with high-risk NFT projects.
As with cryptocurrencies, NFTs are held in a wallet which is secured and managed by a private key. Losing control of one’s private keys will result in the potential loss of all the assets the wallet contains, including NFTs. Your assets are only as secure as your private key is.
In an unfortunate case of “not your keys, not your crypto”, the NFT exchange Nifty Gateway was hacked in March 2021. The hackers stole user passwords and gained access to their accounts. An analysis showed that none of the affected users had two-factor authentication activated.
Holding NFTs and other crypto assets in cold storage provides the best user protection, since hot wallets that are constantly connected to the internet will always have a risk of being exploited. If hot wallets need to be used, be sure to have some sort of multi-factor authentication activated for better security.
There is also the security of the smart contracts to consider. The security of the smart contract relies on its implementation and necessary validations/restrictions included in the code. Therefore, the correctness of the smart contract implementation directly affects the safety of the project.
When there are any vulnerabilities in the smart contract code, hackers will be able to exploit them and profit at the expense of the project and its users. Audits can help in this area to review the code and its implementation to ensure that security measures are sufficient to safeguard the funds and ensure the viability of the project.
The first version of CryptoPunks – one of the oldest and most valuable NFT collections – was hacked early in 2017. The vulnerability allowed NFTs to be sold without the user having to make any payment for the purchase of the NFT. The code was written in a way that prevented the seller from withdrawing the proceeds from the sale of an NFT. Instead, it was the buyer who would be able to withdraw these funds. This meant that a buyer could purchase an NFT and then subsequently withdraw the funds sent to the contract for the purchase of the NFT, therefore essentially minting NFTs for free. To fix the issue, the creators of the project, LarvaLabs, relaunched the project with the fix implemented in a new set of NFT contracts.
Best practice for smart contract developers is to have a review system in place and test code to ensure that all bugs are found and resolved. Rigorous testing should be used to test all different scenarios and especially when various contracts are integrated together. In general, developers should make use of battle-tested libraries and frameworks to reduce the bugs that might result from having untested custom code implementations. Auditing is an essential step for all smart contract projects. Expert code review can pick up on errors missed by developers, while building trust with the project’s community.
Keep an eye out for Part Two of this short series on NFT security, which will go into detail on some of the most common smart contract risks.