Ever since the first NFT project was introduced in 2015, non-fungible tokens have taken the world by storm. Businesses and consumers worldwide have been especially impressed by the big price-tag sales that sometimes rose to millions. Unfortunately, the market caught the attention of hackers. The speedy growth of NFTs’ popularity opened a new avenue for fraudsters. The digital age we live in today imposes us to discover creative and new ways of exchanging currency, but it is imperative to become aware of the security risks associated with those new ways and find practical tools to mitigate any risks in the long term. Today, we will give a precise explanation of what NFTs are, what safety risks a digital token owner may face, and what NFT protection tips one should implement.
NFT Ecosystem: Digital Token Definition and Explanation
NFTs are not interchangeable tokens equivalent to ownership certificates representing the user’s asset. Most of them today are introduced as avatar pictures. Buying digital assets, users put them on social media to prove their ownership of the assets and boost their sociability. Furthermore, the evolution of the NFT market has made it possible to cover physical assets with digital ones, like real estate projects, artworks, etc. The value of such an asset is usually estimated by its minting number, overall supply, the community behind it, and the presence of any special traits (stated in the Description section of the token). The record of the token’s ownership is stored on the blockchain, just as Bitcoin, Ethereum, and other cryptocurrency tokens. The mere difference is that NFTs are unique, non-replicable, and non-tradable to other NFTs.
Are NFTs Secure?
The short answer would be no. Let’s understand the challenge that lies behind the security of digital assets. Because of storage capabilities, images are not stored in Blockchain technology. Instead, an identifier of the asset is stored on the Blockchain and passed to the buyer. Using it on a third-party platform, the new owner can view the actual NFT.
Furthermore, the identifier leads to the asset’s Interplanetary file system or URL. If the company that sold the token runs the IDFS node, the actual ownership of the digital asset becomes disputable. And when NFT platforms go out of business, their sold assets are no longer accessible – they lose their value.
Possible Security Issues
Most NFT security issues are related to the NFT platform and smart contract vulnerabilities. Let us review the most probable issues deeper.
Digital assets can be purchased and sold from centralized platforms. Some of the most popular ones are OpenSea, Radible, Nifty Gateway, and others. These NFT marketplaces have private keys to all the assets on their platforms. In case of a market compromise, a considerable number of NFTs worth a total amount of millions of dollars can be exposed to hackers. For instance, such a case was registered at Nifty Gateway when hackers managed to compromise several accounts and accessed the purchased NFTs. They exchanged the assets and sold them for a profit. Undoubtedly, the lost money was returned to the investors due to the carried-out investigation, yet the assets were no longer recovered.
Whether the platform holds strong security measures regarding private keys or not, it doesn’t guarantee NFTs’ security. In fact, hackers can still access investors’ crypto wallets and NFTs if they are not protected with robust passwords and two-factor authentication.
Smart Contract Vulnerabilities
Another NFT vulnerability is related to the smart contracts they are built on. NFT smart contracts are not prone to hacking. They can be easily broken and used. Therefore, before a digital token is even minted, it is essential to acknowledge all the risks related to the ownership of digital assets.
A bright example of smart contract risks was the malicious attack on a viral project Crypto Punks in 2017. It was affected by a bug that prevented crediting the Ethereum cryptocurrency into the seller’s crypto wallet. As a result, fraudsters bought crypto punks and took the money back from the contract. Surely, the project was re-launched, yet with a more robust updated contract.
Other cases of NFT vulnerabilities include the exploit of 3D digital avatars of Meebit when the attackers manipulated the contract rules of Meebit to create NFTs, reverting them with traits of less value while keeping expensive ones. The fraudster paid around a $20K gas fee for all the manipulations, but the purchase and resale of the Meebit #16647 token brought them more than $700K.
Phishing is another phenomenon causing security concerns. When a phisher steals the recovery phrase of a crypto wallet, the user can lose access to both the wallet and the account on centralized platforms. How does this happen? Let’s check the typical scenario of phishing in steps:
- The fraudster sends the user a link to a fake website via a text message, email, or Discord.
- Since the fake website has exactly the same structure and layout as the genuine crypto wallet, the user has no doubts.
- The user is asked to provide the wallet recovery phrase for a particular realistic-sounding reason on the fake site.
- Once the user provides it, the attacker gets complete control over the encrypted wallet, its cryptocurrency, and every digital asset (most probably with a physical asset behind it) minted or bought.
Another widespread phishing method is pretending to be a tech support personnel to offer help but aiming at tricking the security phrase instead.
How to Protect Your NFTs
A digital token owner can take some precautions to take the NFT security protection into their hands. First and foremost, MFA must be enabled. For instance, none of the hacked users in the security concerns with the Nifty Gateway had their MFAs enabled.
The next essential point is avoiding weak passwords. A crypto wallet password must be of sufficient length with capital and small letters, digits, and symbols. It must not be used on other accounts.
Investors and minters should also be careful with the use of Discord. Although most token owners use Discord for publicity (they access real-time chat with their nicknames and interact with exclusive communities), hackers can easily leverage the provided data. In fact, Discord can become a good place for phishers to post malicious links and cause the loss of crypto assets.
Nothing is infallible, but these simple steps can help keep your projects safe and avoid any security concerns with your crypto wallet.
Not fungible token projects offer investors many opportunities for quite rewarding investments. However, they can also be used against them because of various NFT vulnerabilities. Every digital token is a smart contract in its essence, and as such, it is not ensured against errors or bugs that can put the owner’s investment at risk. Surely, developers work hard to improve their codes for NFT vulnerabilities and errors. Nevertheless, a couple of flaws still remain, causing serious problems once hackers identify them.
Today, there are no financial regulations that would control the trading of digital tokens despite the ongoing evolvement of the tokenized economy. The rights of token owners are unclear, while the difficulty of pursuing all crypto transactions leads to monetary losses every time people buy NFTs of counterfeit type.
This is a hard-to-control market. Minters and investors should exercise caution to secure their belongings (whether physical or digital), store data securely, and always check the source when asked to provide sensitive data. Do never pass the seed phrases of your crypto wallet to third parties since they might be the only clue to restoring the wallet.