There’s hardly anyone today who hasn’t heard about NFTs. However, how many of us do actually understand the concept of NFT? Being a cybersecurity website, we decided to have a look at the security side of the so-called non-fungible tokens. However, before we dive into the subject, let’s cover the basics.
What Is NFT?
Non-fungible tokens can be described as cryptographic assets on a blockchain, which have unique identification codes and metadata distinguishing them from one another. It may sound like a cryptocurrency, but the difference is that NFTs cannot be traded or exchanged at equivalency. In that meaning, cryptocurrencies, such as Bitcoin, are fungible, or identical to each other, meaning that they can be used for commercial transactions.
It should be noted that any type of easily reproduced digital file can be stored in the form of an NFT, and that way the original copy can be identified. NFTs can be created from any kind of art, photography, music, or video files. You can create one from nearly anything unique that has value and can later be stored digitally. NFTs can be thought of as a collector’s item, such as a painting or an auction item. However, rather than buying a physical item, you’d be paying for the file and the proof that you own the original copy.
How Does NFT Work?
Most NFTs are part of the Ethereum blockchain, which supports them in a way that stores extra data making them different from the coin itself. Note that other blockchains are also capable of implementing their own NFT versions, such as FLOW and Bitcoin Cash. However, they were first launched on the Ethereum blockchain.
Most importantly, NFTs matter because they solve a problem. As pointed out by the Еthereum project, with the speed of everything becoming more digital, a need arises to replicate the properties of physical properties, such as uniqueness, scarcity, and proof of ownership. Furthermore, in most cases, digital items tend to work only in the context of the specific product – you won’t be able to re-sell an iТunes mpP3, right?
As we already said, NFTs enable you to “assign or claim ownership of any unique piece of digital data, trackable by using Ethereum’s blockchain as a public ledger”. It should be mentioned that NFTs are minted from digital objects as a representation of digital or non-digital assets. An NFT could represent any of the following:
Real World Items:
-Deeds to a car
-Tickets to a real world event
Note. Remember that NFTs can only have one owner at a time, and ownership is managed via the uniqueID and metadata that can’t be replicated by any other token.
“NFTs are minted through smart contracts that assign ownership and manage the transferability of the NFT’s. When someone creates or mints an NFT, they execute code stored in smart contracts that conform to different standards, such as ERC-721. This information is added to the blockchain where the NFT is being managed,” the Ethereum project explains.
Since NFTs are used for a variety of purposes, including digital, content, gaming items, domain names, physical items, and investments and collateral, a question arises. How secure are NFTs? We will address this question in the second part of the article.
NFT Security: How Secure Are NFTs?
Because non-fungible tokens have gained the public attention, there has been a talk about their security. After all, they are an entirely new class of digital tokens, thus introducing many benefits… as well as various concerns. Are these concerns futile or fertile?
NFTs may not be as secure as we’d like to think. Let’s not forget that threat actors always look for opportunities and ways to capitalize on trending topics, especially when the topic is a digital asset with value! The growing popularity of non-fungible tokens has made them a signaling beacon for people with malicious intentions. So, long story short, there is definitely a real-life threat to the security of these tokens.
Nifty Gateway NFT Hack
For example, in March 2021, hackers were able to gain unauthorized access to numerous Nifty Gateway NFT user accounts. The attack enabled threat actors to transfer previously purchased NFTs and buy new ones for transferring with the payment cards that were available on file. Then, the hackers sold the tokens to another buyer on a different platform. Unfortunately, because Nifty Gateway held the private keys for the tokens on the platform, users couldn’t recover them. This incident highlighted the risks and the challenges of the NFT ecosystem.
Related: Wormhole Cryptocurrency Platform Loses $322 Million in a Hack
NFT Marketplace Security Risks
One of the risks stemming from these tokens comes from centralized platforms. Even though NFTs are based on the blockchain technology, they still rely on centralized platforms, as they help online users interact with digital assets. People can buy and sell NFTs on platforms such as Nifty Gateway and Open Sea. And this may be a problem.
As already mentioned, centralized platforms store the private keys associated with digital assets, and if any compromise takes place in the platform, this would automatically entail loss of NFTs. The Nifty Gateway attack depicts the possibility of attackers capitalizing on vulnerabilities in the platform. Even though victims could recover their money, the recovery of the NFT assets wasn’t possible, implying a formidable risk, as pointed out by 101Blockains.
Another, more recent example of a cybersecurity incident involves the OpenSea NFT marketplace. Threat actors exploited a smart contract migration to deceit 17 users, resulting in a loss of nearly 3 million dollars worth of NFTs (non-fungible tokens).
Of course, NFT marketplaces do have strong security measures in place, but they may not be adequate enough for dealing with token security issues. Furthermore, platform users could be a liability as well, if they use weak passwords or don’t implement two-factor authentication. The lack of these protections could be an issue, too.
The Risk of Identity Fraud
One of the main security concerns regarding non-fungible tokens is identity fraud often associated with cryptocurrency and blockchain scams.
Here’s an example: a verified profile of artist Derek Laufman, who is the creator of the comic series RuinWorld, BOT-9 and the designer of Marvel’s Super Hero Adventures, appeared on NFT marketplace Rarible… But then it turned out it wasn’t him:
On Rarible, a site where people can purchase NFTs, a verified profile had appeared that alleged to be from him — which means that someone took the time to impersonate him all the way through the platform’s verification process. “I was basically kind of annoyed that somebody had, quote, unquote, verified me as on that platform,” Laufman says. “I dealt with having my art stolen for years. And I’m sort of numb to that. But when somebody is claiming to be you … that kind of, you know, pisses me off,” TheVerge reported.
Following the reports of several people on theft and impersonation, Rarible took the profile down. However, one of Laufman’s fans had already bought an NFT…
Even though each NFT is unique, forgeries and theft of artists’ identities can’t be prevented due to the digital nature of the tokens. In another example, scammers took advantage of artist Qing Han, who passed away after losing the battle with cancer. Last April, only a year after his death, her brother’s friend reported the emergence of 5 accounts stealing his sister’s identity to sell NFTs of her artwork. https://www.wired.co.uk/article/nft-fraud-qinni-art
Smart Contract Risk
Smart contracts are fundamental to the design of these tokens. However, they also create security loopholes in the existing NFT market. We have another real-world example to illustrate these risks – an attack against DeFi-based Poly Network. In this attack, threat actors stole nearly $600 million.
The Poly Network project originally stems from the Neo project which utilizes three different blockchain networks. In other words, the Poly Network hacker successfully obtained funds stemming from the Polygon, Ethereum, and Binance Smart Chain (BSC) protocols.
“The assets stolen include a great number of tokens including ETH, DAI, UNI, SHIB, FEI, BUSD, BTCB, ETHB, BNB, USDT, and more. A great number of people assessed the situation on Twitter and although tedious it is estimated that more than $600 million in tokens were stolen,” Bitcoin.com reported in August 2021.
Another popular NFT project, CryptoPunks, also dealt with issues stemming from smart contract vulnerabilities. In 2017, the platform was impacted by a bug that prevented the transfer of ETH into the seller’s wallet. Attackers could exploit the bug to purchase CryptoPunks NFTs and retrieve the money back from the contract. To avoid any incidents, the platform had to re-launch with an entirely different smart contract.
NFTs and Money Laundering Concerns
Many experts have expressed concerns regarding the very likely possibility of NFTs being used to launder money in a way similar to ICOs (Initial Coin Offerings). Since NFTs are all about big money (a single art by the artist Beeple was sold for $69 million at auction), how can we not fear that they could be abused for illegal operations? Bad actors could exploit the magnitude of NFTs to move their own assets around or carry out various scams.
It is noteworthy that trade-based money laundering is already an issue in the art world. The term has been described as “the process of disguising the proceeds of crime and moving value through the use of trade transactions in an attempt to [legitimize] their illicit origins,” according to the definition given by the Financial Action Task Force.
How to make sure that there aren’t any money-laundering attempts in a transaction? The easiest way is to check whether the price of the transaction is in line with the fair market value of the specified item being transacted. However, the market is relatively new and volatile, meaning that it could be quite difficult to determine what a fair price should be.
At the moment, there isn’t any solid proof that fraudsters are laundering money through non-fungible tokens. But the lack of proof doesn’t eliminate the possibility.
Counterfeit NFT Creation (Fake NFTs)
Another issue has been outlined in a detailed report titled Understanding Security Issues in the NFT Ecosystem. A team of researchers analyzed in detail all the liabilities and security loopholes that NFTs bring. One of them is the likelihood of creating fake NFTs.
How can bad actors create fake NFTs? Here’s what the report says:
The authenticity of an NFT is endorsed by the smart contract managing the collection. Therefore, to ensure that the token one is buying is legitimate, buyers are advised to verify the contract address of the collection from official sources, e.g., the project’s web page, before making a purchase. Unfortunately, buyers are not always aware of the existence of counterfeits, or of how they can verify an NFT’s authenticity. Instead, they only rely on the names and visual appearances of items in the marketplaces. This makes it possible for malicious users to offer “fake” NFTs.
The researchers observed the following types of fakes:
- Similar collection names, or NFTs that use the name of a collection or a single piece that resembles the original one.
- Identical image URLs, or fake tokens pointing to existing assets, by copying the image_urls of legitimate NFTs.
- Similar images, or copying the digital asset and then minting an NFT that points to the copy, rather than copying the image_url.
NFT Security Concerns: Conclusion
NFTs are indeed a revolutionary form of digital assets, asserting the benefits of art uniqueness in combination with the functionalities of blockchain technology. However, despite the global hype, the related risks we discussed in the article shouldn’t be overlooked.
The good news is that there are tools for alerts to warn you about any suspicious activities on NFT marketplaces and in your accounts, too.
Here are some other helpful tips for securing your NFTs:
- Never reveal your 12-24 word seed phrase.
- Always create complex passwords and follow the general security rule by including phrases, numbers and symbols.
- Store all your passwords and phrases safely (preferably not on your computer).
- Avoid visiting suspicious sites.
- Store your long term digital assets offline.
- Consider using a VPN to hide your IP address and encrypt your internet traffic.