NFTs and Security — Are We Paying Enough Attention?
Lucrative items of value that end up trending, such as non-fungible tokens (NFTs), all too often attract cybercriminals who seek to cut corners to make ill-gotten fast cash.
However, the hype around new, emerging tech often obscures some of its safety issues. When it comes to NFTs, users have already started seeing some fallout from inadequate protection or missed vulbrabilities.
A quick refresher for the uninitiated
NFTs are cryptographic tokens which bear a unique kind of watermark of ownership.
The NFT represents something unique and exclusive that is non-replaceable. Blockchain technology verifies the NFT.
On a larger scale, NFTs exist in many different forms and can allow artists to earn royalties in future sales continuously and can also exist as part of the work itself. This helps to eliminate the possibility of plagiarism. In turn, it allows the value of the art to endure. However, anything thought to hold value can be an NFT.
- Examples of NFTs include, Beeple’s digital artwork which sold the most expensive NFT to date for $69 million. Earlier this year the musician Grimes sold a 50-second video to a bidder at $388,938.00
A basis in value
While pirates may still duplicate the art, the endeavor would be fruitless since it would exist without any value. While only the original digitally signed artwork retains its value.
NFTs are essentially used to create a scarcity that is verifiable on the blockchain. The blockchain is an encrypted security ledger that is designed to prevent the possibility of fabrication, not theft or fraud.
If somebody manages to steal NFT and sells it on the NFT market, the blockchain carries out its purpose faithfully, which simply is to record the transaction in its public ledger.
How threat actors are heisting NFTs
Imagine that you are a prolific digital artist that has created an abundance of highly anticipated newly minted digital cyberpunk posters in jpeg format, which you are for sale on a trusted NFT website.
Your pieces are worth a lot of money. After all, you are a popular artist with a unique style. Selling just one of your posters will pay ultimately pay your bills off for months to come, even years.
Then one day, you stumble upon your own work on some other NFT auction platform you don’t even feature your artwork on.
Digital files are replicable without diminishing their quality. This is the counterfeiting stage. After a copy is made, what’s to stop a scammer from posing as the owner?
The scammer then forges the NFT created by crypto artists. This allows them to gain ownership of the stolen item. A tactic that is known as sleep minting.
The next phase of the heist involves the scammer minting the NFT’s in the artists’ wallets. This essentially transfers ownership of the item from the original author to the scammer, unbeknownst to the artist.
This NFT counterfeiting tactic is possible because of an anatomical defect in smart contracts. These can cause transactions to appear genuine on the blockchain as though the artist had made them. Albeit without the artists’ knowledge.
A simulation proves the vulnrability
This attack vector was simulated in a real-life scenario by an individual who operates under the pseudonym Monsieur Personne, “Mr. Nobody.” They also go by the moniker The Banksy of NFTs.
They made it their mission to demonstrate the security flaws in the architecture of NFT’s. To drive the point home, earlier this year, Monsieur Personne purportedly made the second edition of the famed Beeple piece.
Having no ill intent toward the artist himself or the NFT market, Monsieur Personne says they gave the counterfeit NFT to a user.
The user offered it for sale on Rarible and Opensea, which are two of the biggest NFT markets. The platforms then proceeded to block the illicit transaction. This illuminated possible security holes and how to avoid them.
A spokesperson from and CXIP Labs, an NFT certification platfrom, told BeInCrypto that NFT vulnerabilities are predominantly created during minting.
“Many marketplaces are minting improperly and without any standards or safeguards. Loopholes are created, causing smart contracts to become exploited in various ways. If the theft is anonymous, it can be difficult [to recover it], and most marketplaces have been reluctant to intervene because they are afraid of backlash for behaving too ‘centralized,’”they say.
Speaking about whether stolen NFTs could be recovered by law enforcement, they add:
“This is likely being discussed, but marketplaces and participants would probably have to cooperate with authorities in order for it to work. We might see these investigations happen in the future.”
Is there a glitch in the NFT matrix?
According to Malwarebytes Labs the flaws in the system are three-fold.
It is possible to make copies of more than one NFT from the same art piece in the same way, any jpeg file can be duplicated. This, however, establishes abstracted chains of ownership for the same art piece.
Furthermore, if an NFT hasn’t been established for the art piece, creating one for it does not necessitate the original owner to be the actual owner of the piece. This is how abstract chains of ownership are made.
Lastly, the references defining the initial art piece are hinged on the dependency of URL addresses susceptible to vulnerabilities. Realistically, the host for the URL could change, or discontinue their hosting, or be susceptible to cyberattacks, causing the item to disappear.
In essence, the only sure way a ledger can be reliable to give a factual record of true ownership is by establishing one fundamental record that analyzes the transaction made directly between the original owner of the art and the creator. Thus, confirming whether the first owner actual purchased the artwork from the artist.
Creating a new ledger should also check for duplicate registrations for the same NFT artwork to ensure a duplicate isn’t being created. There needs to be a more prudent definition of digital files.
Therefore, considering the circumstances that may unfold from merely hosting them on the internet. The URLs themselves should be recorded in the blockchain to help protect them and not only the digital file they are directing to.
Another attack vector — hacking NFTs
Users in possession of NFTs have become an additional attack option. Already threat actors have broken directly into accounts on Nifty Gateway and made off with their NFT’s artwork worth thousands of dollars. Afterwards, selling them on Discord and Twitter.
Users of these accounts weren’t utilizing two-factor authentication (2FA). However, Nifty Gateway said the platform itself had no breach.
CXIP Labs says that both creators and collectors should pay careful attention to how their NFTs are being minted. This way the can to protect them from theft.
While NFTs may be struggling with some safety issues, like many new technological innovations these will only improve with time.
Back to the list