In November 2021, the researchers from Californian University in Santa Barbara issued the results of their first profound research on the security issues in NFT ecosystems. As it turned out, there is a lot of fraud, the trading platforms are weak, and the users neglect basic security rules. This article will show the way marketplaces and the issues.
Are you looking to do the make nft secure?
Merehead is a leading software development company. Talk to our experts to get a turn-key solution!
Write to an Expert
What is NFT?
NFT stands for non-fungible token. Contrasting to Bitcoins, each NFT is a unique, non-fungible asset that can not be exchanged for another NFT without neglecting the quality and price. If you buy a product, service, or art piece, it has no meaning what banknote or token you will receive. So, dollars, Bitcoins, and other cryptocurrencies are interchangeable tokens.
The main feature of NFTs is their uniqueness. Furthermore, the blockchain helps to prove its authenticity easily; hence these tokens are employed as digital identification, which guarantees the originality and authenticity of a physical or tokenized asset. Moreover, NFTs can be used to authenticate a piece of digital art or digital collectible and identify its rightful owner and the copyright/commercial rights that it possesses.
Most no-fungible tokens are minted on Ethereum or Binance Smart Chain (BSC) blockchains. However, other blockchains help, such as photographs, drawings, programming codes, or real estate.
NFT ecosystem scheme. It shows all market participants and their interactions. Source
How secure are NFTs?
The short answer is — not really. It is not a secret that the main threat to the security of any IT sector is — motivated opportunists. These are people who try to steal any digital or physical asset that is precious. They steal money or even chat messages. NFT market is just starting to grow, yet fast capitalization boost and popularity have attracted a lot of frauds and hackers to this sector.
For example, in March 2021, several user accounts on Nifty Gateway were hacked. It is a famous NFT platform. The hackers stole the NFTs and used the victims’ bank to buy new NFTs and steal them. However, the money was paid back to the users, but the NFTs were just lost. The hackers sold them on another popular marketplace.
The other threat for NFT owners is phishing. Coinbase announced that the malefactors managed to steal money from more than 6000 owners. The frauds used simple phishing emails that were supposed to be notifications from the exchange about suspicious activity on their Coinbase accounts. They advised the user to follow the link and provide their login and password to sign in. When they followed that link and entered their login and password, the frauds were granted access to the Coinbase account. Then they just took the money and expired.
These two examples show that NFT marketplaces and the users have no guarantees that their non-fungible tokens are 100% secure. Hence, both parties should do everything to keep their NFTs and wallets safe.
NFT platform’s security issues
Hardware wallets support
Modern hardware wallets usually support NFT. However, not all marketplaces allow their clients to use these devices directly. It is forbidden, or one should use a software wallet, which is uncomfortable for the clients. They need to do additional tasks that can confuse them or cause issues. Hence they will neglect this way of storing NFTs.
The solution to this issue is obvious: NFT platforms (marketplaces, video games, galleries, etc.) should support all popular hardware wallets that can store NFTs.
Smart contracts transparency
Smart contracts for NFT platforms help process the payments and manage the on-fungible tokens. Hence, the hackers and other malefactors are interested in stealing them. Significantly, those smart contacts employ open-source code. Furthermore, an independent audit should check them.
Unfortunately, not many platforms follow this rule. For example, Sorare smart contacts are a closed type of software. Rarible is a hybrid platform, and some smart contracts are open; the others are not. OpenSea is perfect in these terms. Their contracts are available and passed the independent audition. If you want your NFTs to be safe, trade on OpenSea.
Art objects in the real world often are just a way for money laundering. NFTs will make it easier since the unanimous users will mint the tokens. Furthermore, they will not have difficulties transporting, which frequently happens to physical artworks. Many cryptocurrency exchanges, like Binance and Coinbase, introduced KYC (Know Your Customer) and AML/CFT (Anti-money laundering, Combating the Financing of Terrorism). Yet, the platforms have done nothing to guarantee the KYC/AML/CFT are followed.
Passing the ownership rights on an asset
In trading NFTs on an online marketplace, an intermediary helps to give the ownership rights on investment to the buyer. The other option is escrow smart contracts. In the first case, the security of the NFTs is under threat since the intermediary might steal the money or the tokens. Else, a hacker can injure the device with harmful software.
The escrow model can also carry risks because the security of the money and tokens will depend on the security (code) of the escrow contract. Since NFT platforms often process the deal beyond the blockchain to save gas, hacking this contract is possible. Yet, escrow is an entirely more secure way to buy and sell NFTs.
Nifty Gateway uses the escrow contract trading model, while Rarible and OpenSea use the intermediary operator model.
Market operation decentralization
When NFT assets are published on the platform, they are transferred to the wallet of the trading platform. In this case, the trading platform stores NFTs in escrow, which happens outside the blockchain. From the moment the seller transfers his NFTs to the marketplace until the sale is completed, all transactions are invisible to the blockchain. This violates the principle of decentralization and makes buying and selling NFTs unsafe for all parties.
If you want to keep your NFTs secure, use the platforms that do not have access to the private keys and do not require you to transfer the asset on their wallet (the way Nifty Gateway works). If you want to develop your NFT platform, ensure that you do not violate the decentralization principle; hence your assets are not under unnecessary threats.
Checking the entered data about the deal
NFTs applications are the front-end parts of the system that interact with the server part and smart contracts (back-end). During the buying/selling process, the front-end and back-end need to arrange everything. The application or the smart contract must check each parameter that the interface receives from the user. Neglecting it or implementing it poorly will lead to NFT or money loss.
For example, one of the reports of OpenSea says that a user wanted to gift an NFT and typed the nickname of the receiver instead of their Ethereum address. Because no one checked if the input data was correct, the NFT was sent to the wrong address or lost.
NFT metadata is what the token represents. For example, a photo file, a song, or a play text. ERC-721 standard allows changing the token’s metadata, a threat to the assets’ security. For instance, if an NFT is a work of art, the token contains the link to the photo, video, or audio. In this case, the NFT creator can change the token’s metadata, which will turn it into rubbish.
One can do it in two ways. The first one is to change the metadata_url in the token. The second one is to change the token itself. If the first case can be blocked on the smart contract level, metadata issued on other domains is still possible to change or delete. And it is effortless, and one needs only to buoy or hack the domain.
The solution for the first hacking way is to forbid changing the metadata_url in the smart contract. The key for the second case that will partly lower the risks is to post the metadata in IPFS. The benefit of IPFS is that the URL address of the file with metadata includes the cache of the content; hence the metadata can not be changed without changing the NFT’s URL.
To secure your NFTs from these threats, use platforms like CryptoPunks, Foundation, and Nifty Gateway. Their token contracts do not allow changing the metadata_url. The platform Xie has some issues since their token agreements will enable users to change the URL address. OpenSea, SuperRare, and Sorare allow the creator to change the metadata_url before the first sale. Yet, only Foundation requires storing metadata on IPFS.
Security risks for the user
Creating a counterfeit NFT
The smart contracts prove the authenticity of the NFTs. Before buying an asset, we recommend verifying the contracts’ collection address on official sources, such as the project’s webpage. Unfortunately, the users rarely do it since they do not know that it is possible. Instead, the users focus on the names and appearance of the lots on the marketplaces, allowing the malefactor to offer fake NFTs.
Usually, the frauds use these schemes:
OpenSea restricts its users from using popular collection names and certain special characters to limit such cheating. However, it is easy to circumvent this restriction by adding a period (.) at the end of the name or by replacing the uppercase character with a lowercase one, making, for example, CryptoWizards into Cryptowizards.
- Similar collection names. There are loads of fake NFTs on the internet that use an equal representation of a collection or a discrete NFT. The trick is changing the symbols in the ASCII in the original name to the characters that are not ASCII but only look similar. It is also possible to change the Latin ‘C’ to a Cyrillic ‘C,’ and no one will see the difference.
There are no easy ways to protect yourself from such fraud? Since now, there are almost no ways to verify who and where is placing their tokens, unless it is some celebrity or a pretty famous token. The best security, in this case, would probably be a reputation system and implementation of vendor verification mechanisms (KYC procedure).
- Identical URL addresses of the images. Some fake NFTs copy the mage_url of existing NFT assets. For example, fraud can launch a smart contract and mint the tokens copying a popular collection like CryptoPunks. If the customer only looks at the appearance and will not check the authenticity, they might get these NFTs for real ones.
Currently, no platform performs asset similarity checks to determine if a multimedia file has been used in other NFTs. Therefore, it is up to users themselves to do such verification through Google or other content similarity mechanisms.
Social engineering (phishing)
It is common to name various psychological manipulations that make the user do specific actions or reveal private information. To put it more straightforward, these are the tricks that help the frauds get the money, passwords, bank cards, secrets, and other information about the people without hacking their computer or smartphone. Unlike conventional scams, social engineering requires many steps and preparation.
As we mentioned above, some frauds sent fake emails pretending they were from the Coinbase support team. They were trying to get users’ login data. It is probably the most common type of phishing that requires the fraud to prepare a mail and a website/application the mail will lead to. It will help to get the login and the password of the user.
There are other options. The fraud often creates fake applications pretending to be popular wallets, exchanges, and marketplaces. Frequently, these artificial applications pass the checks on Google Play and App Store.
Another type of phishing is to lead to the installation of software with a virus or keylogger inside. Usually, for this, the scammer contacts the victim via social networks or messenger and somehow convinces him to download and extract a password-protected ZIP file from Google Drive. Password protection ensures that Google Drive virus scanning cannot penetrate the content of the ZIP file (the scammer will give the password directly during the communication, e.g., on Twitter).
Once the victim has extracted the file and launched the malicious installation, the malicious code will infect the system. When the victim launches, for example, a Metamask wallet, the scammer will be able to intercept her username and password. Together with the original user phrase (stored on your computer in your browser extension), this information allows the hacker(s) to steal all the user tokens. If the wallet is connected to a bank card, this money will also be stolen.
- Similar images. Another option to create a fake NFT is to copy a digital asset (photo, video, audio) and then mint an NFT that points to that copy. This type of fraud on the NFT market is trendy because of its simplicity and accessibility. Many such tokens on platforms allow you to mint NFTs for free.
How can the users protect their NFTs?
Employ two-factor authentication
The most crucial thing the users can do to protect their NFTs is to use Multi-factor Authentication (MFA). The statistic reveals that hackers and fraud steal money mostly from users who do not have this feature. For example, on Nifty Gateway, only those users that did not use MFA were hacked. The same goes for phishing mails of the Coinbase victims cases.
Use a complicated, long password
Do not underestimate the benefits of a strong password, especially when combined with MFA. You should have a sufficient length and complexity password not used in other accounts. Best of all, it should be a set of random numbers and symbols generated by some program, like the one used by Google Chrome, to create complex passwords when you sign up somewhere automatically.
Store the backup phrase in a safe place
First, never store your wallet's source phrase digitally. You can't take a photo with your smartphone, write it into a text file, or save it to your hard drive. You shouldn't hold it in a key-key storage app with passwords. This can be hacked or compromised, and you will lose NFTs.