NFT Security. What to take care of
As any asset on the web, NFTs need the best possible security for the buyers to trust them, while, as is, they are not very secure. There are always ones who would try to put their hands on some else’s possessions. NFTs are stolen from time to time by shrewd hackers (like in the Nifty Gateway hack in 2021) or taken over by scammers (like the notorious situation with Coinbase). Tokens are not 100 percent secure. What threats waylay innocent users and what difficulties can they face?
Platform issues
There are some system-wise issues which can complicate NFT owners’ lives. The most frequent are the following:
- Hardware wallet support issues. Not all marketplaces allow using hardware wallets directly, some additional work may be needed, which can confuse the user or prove troublesome.
- Smart contracts transparency. Careful independent audits are needed to make smart contracts more secure, since they use open-source code, which, unfortunately, opens the back door for malefactors. Some platforms close their contract code instead, which can cause complications by itself.
- Authentication policies. NFTs can be minted and traded by anonymous users. Not every platform guarantees that the rules of KYS (Know your customer) and AML/CFT (Anti money laundering and Combating the Financing of Terrorism) are followed carefully, so there is always some risk of malicious meddling.
- Ownership transfer. NFTs are traded at online marketplaces, sometimes with the help of intermediaries between the seller and the buyer. This creates the issue of trusting the intermediary, who can easily steal the asset being traded. Another option is to use escrow smart contracts, but this is also no panacea since the security of the deal depends totally on the smart contract security.
- Market operation. Trading platforms store NFTs in escrow. Until the sale is complete, all transactions are invisible on the blockchain. It violates the decentralization principle and jeopardizes the process of the deal for both the trader and the customer.
- Entered data checking. NFT applications are the so-called ‘front-end’ part of the system, which interact with the back-end parts — servers and smart contracts. Both parties (front-end and back-end) check all the parameters on their side. Bad implementation of this process can lead to losses. If the input data is incorrect, the NFT would be sent to a wrong address and lost.
- Editable metadata. NFT metadata is how the token is represented. This metadata can be changed, which threatens asset security. The metadata_url of the NFT or the token itself can be changed, which can damage or even ruin the token’s value.
User security risks
Many problems and dangers are created by the owners themselves. A tiny mistake or following a suspicious link can lead to a great loss. There are three main threats, which should be mentioned:
- Counterfeit NFT creation. It is considered a good practice to verify the contract address before buying an asset(for example, at the project’s website) instead of focusing on the name and appearance of the lot. Fraudsters often use similar collection names (making a fake NFT by changing symbols in the original name to similarly looking characters and copypasting the token’s representation), identical URL addresses of the images (making a fake copy of the URL of already existing NFTs by launching a fraud smart contract and minting tokens mimicking the popular ones) and similar images (when a copy of a digital asset is made and an NFT of this copy is minted).
- NFT Scams. This type of fraud can be performed in several ways, such as using fake marketplaces, identity theft (when fraudsters try to obtain personal or login data to empty the victim’s wallet), the Rug Pull scam (gaining the buyers’ trust, tricking them into a false sense of security and then disappearing with their money, leaving them worthless NFTs) and the Pump&Dump scheme (usually performed by a group of malefactors ‘pumping’ (inflating) into a certain NFT project with money to increase its value in the short term and then selling them off to secure profit with the ensuing dramatic price drop).
- Phishing. A very common way to steal someone’s belongings. Phishing techniques allow fraudsters to take hold of assets, passwords, personal data and other valuables without hacking the system directly. Malefactors send fake or infected emails pretending to be legal sources and try to get the login data of the wallet. In other cases, fraudsters create fake applications pretending to be wallets, stock exchanges or market places, which are not always recognized by popular app stores. One more type is offering the installation of infectious software (in this case the scam contacts the potential victim directly, usually via a social network or a messenger, and convinces to download and extract some archive files or another software, which will later give the villain access to the personal data and the wallet itself.
Conclusion
This is not, certainly, all. Every day brings new issues and malefactors create more threats. Selling and buying NFTs is a risk bearing process. Thus, the potential customer should approach it with certain care, watch out for suspicious deals and offers and check everything twice before committing an action they will not be able to abort or cancel.
About SmartState
Launched in 2019 and based in Dubai, SmartState is one of the leading DeFi security auditing firms. We conduct security tests and check the code core, smart contracts and blockchain for all types of errors, vulnerabilities and other issues.
Although SmartState gave a start to operations with smart contract auditing of DLT-projects, from the very beginning, we made our services surpass the classic purview of smart contract audit and security testing. We specialize in manual testing, so the SmartState’s tech team of white-hat security professionals measure up a project’s git and offer guidelines and recommendations for its further advancement. Security audit reports review the threats and vulnerabilities with which codebases may be exploited in the future, as the network achieves scalability and expands to accommodate more use cases and functionality.
Stay tuned and find more about us and what we provide on our:
