By Mitchell Amador
NFTs exploded into the public consciousness following the artist Beeple’s iconic sale of “Everydays - The First 5000 Days" for a whopping $69 million. This NFT also had the distinction of being the first purely digital work of art ever offered by Christie’s, a major auction house.
With social media behemoths like Twitter integrating NFTs into their app and Meta building stealth apps to accelerate mainstream adoption, the integration of NFTs into everyday life seems imminent. A Google Trends analysis of the term NFT shows as much.
However, a large number of users remain totally unaware of the security concerns surrounding NFTs. Education on these concerns is more important than ever.
Here are a few attack vectors to watch out for, which are a mixture of attacks against platforms and attacks against users.
NFTs that Log your IP
Some NFTs displayed on OpenSea can log your IP address and other user agent data, such as browser, operating system, etc. As explained by Bax of Convex Labs, this issue is a result of OpenSea allowing NFT sellers to add an “animation_url” to the NFT’s metadata. The animation_url field supports HTML, and as demonstrated by Bax, the injected code from the data-grabbing NFT can include commonly-used IP harvesting code from a site called IPlogger.org. Users can mitigate this through blocking scripts (although that will cause the NFT not to render) and using a VPN for their internet browsing.
The flexibility of NFT metadata, which is part of why NFTs are such a fertile new artistic medium, allows arbitrary code to render the NFT in the user’s browser. This flexibility creates great risks beyond just NFTs that can log your IP.
Smart Contract Flaws
In 2017, CryptoPunks, one of the most popular NFT projects, suffered from a smart contract flaw that blocked (CRYPTO: ETH) from being sent to the seller's wallet. Attackers could use this flaw to buy CryptoPunks NFTs and then withdraw the money from the contract. Due to the devastating bug, CryptoPunks had to start over and relaunch its project with a new smart contract. Unfortunately, by the time the bug had been discovered, all 10,000 CryptoPunks were in circulation.
In August 2021, whitehat samczsun discovered a vulnerability in the NFT project Hashmask. Specifically, there was a bug in the function used to mint new NFTs that would have allowed a malicious attacker to mint more than 16,384 Hashmasks. Fortunately, the bug was not exploited, and Hashmask paid samczsun a $12,500 bug bounty for his disclosure.
Another interesting case that showcases potential NFT problems is the Meebit hack from May 2021. The attacker exploited the fact that the metadata of the next Meebit to be minted was available right before minting. The attacker was able to “reroll” the Meebit mint before it occurred to get a more favorable Meebit. This shows how important random number generation (RNG) is on the blockchain, and how hard it is to get it right. Whenever projects rely on randomized bits for their NFT, it’s worth checking how they approach RNG. Using an off-chain, verifiable randomness oracle, like Chainlink’s VRF, is the right way to go.
Account Hijacking
Crypto Twitter was recently abuzz with reports of user wallets’ being drained after receiving a certain free NFT. Check Point Research, a cybersecurity firm, got in touch with the affected users and discovered a significant vulnerability in OpenSea which was being exploited by attackers to hijack a user’s account and wallet.
Here’s how it was done: Hackers created malicious NFTs and presented them to the target. After the users viewed the malicious NFT, the OpenSea storage domain triggered a pop-up window (very innocuous and common). If the victim clicked "connect wallet", the hacker obtained access to the victim's wallet.
Hackers could then steal the assets in the user's wallet by obtaining further approvals.
OpenSea quickly developed a fix after the vulnerability was disclosed. According to OpenSea, the attackers relied on users signing off on harmful transactions using third-party wallets.
In March of last year, multiple customers of Nifty Gateway, an NFT trading exchange, had their accounts stolen. Some victims claimed that hackers stole thousands of dollars' worth of digital art from their accounts, while others claimed that their accounts were hacked for no reason at all.
The accounts that were hacked, it turned out, did not enable two-factor authentication (2FA). Enabling 2FA is crucial, and enabling 2FA via an authenticator app sidesteps SIM swapping.
But even if platforms adopt the latest security measures, a substantial risk is associated with users' failure to securely store their passwords and other sensitive data, which unscrupulous actors can use to acquire their NFTs.
To keep your passwords safe, use a password manager.
Impersonation and Permanence
The possibility of purchasing fraudulent NFTs also poses a serious danger. Malicious actors may pose as well-known creators and sell forged ownership certificates. For example, this summer, a well-known collector & NFT artist known as ‘Pranksy’ purchased a fake Banksy NFT for $300,000. Luckily, the scammer returned Pranksy’s funds. Not everyone who gets scammed in the future will be so fortunate.
Additionally, if the NFT points to an image or music file on, say, Amazon Web Services, it’s possible that that file can be swapped later for some other file, or even deleted. It is good practice that NFTs point to resources on IPFS, a decentralized file system, to avoid them easily being swapped to something else by whoever has easy access to some centralized server. If the metadata isn’t decentralized, the NFT isn’t decentralized.
NFTs now represent a lucrative frontier for the same blackhat hackers who pose a threat to smart contracts, and it is critical for security research firms to focus on this burgeoning sector of Web3.
There’s not much you can do if a platform you use suffers a smart contract or web breach, but there are some things you can do to protect yourself as a user: use a VPN, use 2FA to protect your login credentials, store your passwords in a password manager, and be aware of possible impersonations and phishing attacks. In crypto, it’s always a good idea to be skeptical because wherever there are high-value assets, you can be sure that scammers, hackers, and other bad actors will follow.
Author’s Bio:
Mitchell Amador, CEO and Founder of Immunefi, a bug bounty and security service.