- A Smart Contract is a digital contract on the blockchain that is executed automatically when certain predetermined conditions are met.
- The more complex the Smart Contract, the more likely it is to include vulnerabilities which can affect NFTs.
- Although the smart contract does not include vulnerabilities, a small mistake on the part of the user will allow fraudsters to do their thing.
Non-fungible tokens (NFTs) have caught the world’s attention given their extraordinary appreciation. However, one question that all investors who decide to enter this sector should ask themselves is: Are NFTs safe?
And it is that, if the sector is closely followed, it will be noted that there have been various problems with NFTs. However, the problem does not lie with NFTs themselves.
It is essential to remember that NFTs are smart contracts, a digital contract stored in the blockchain that is automatically executed when certain conditions and predetermined terms are met. This way, When an NFT is minted, it is done through a Smart Contract that assigns ownership and manages the transferability of the token.
But, at its core, Smart Contracts are code with simple “if/when…then…” statements on the blockchain. So that, the more complex the code, the greater the probability that errors or vulnerabilities will appear within the digital contract.
Of course, developers check their code over and over again for potential vulnerabilities, but there’s always the chance that one or more flaws will run in the future and cause problems. Especially if someone finds the opportunity to take advantage of a bug, especially if it is a valuable asset such as an NFT.
From this follows the need to carry out security audits with some frequency to address vulnerabilities before they are exploited. In fact, that is why there are companies like Consensys engaged in executing such audits.
Below you will find the most common vulnerabilities or flaws that are present in Smart Contracts and that affect NFTs:
Vulnerabilities in the sale of NFT
It consists ofThe opportunity taken by various hackers at the time of the sale of NFT tokens. For example, during the launch of the Adidas NFT Into the Metaverse collection, an attacker managed to bypass the NFT purchase limit per wallet and acquired 330 NFTs.
They are flaws or gaps within the smart contracts used by computer attackers to obtain a profit in the purchase process. Another possible example, a vulnerability that allows the user to buy an NFT and recover the money from the smart contract.
NFT market vulnerability
As previously explained in Bitcoin Mexico, there are a wide variety of NFT markets, each with its advantages and disadvantages. These platforms are responsible for helping people interact with digital assets.
Per se, this vulnerability is not directly from the NFT, but from the platform on which it is being traded. For example, there have been vulnerabilities that have been exploited by attackers to purchase expensive NFTs at their previous trading prices and then sell them at their current price.
Private keys becoming public
Private keys must be protected tooth and nail! It is necessary to remember that they are the private keys that grant ownership of the assets associated with a wallet to a certain user, Therefore, anyone who accesses said keys will have ownership of the assets, even if they belonged to another person previously.
Over the years, hackers have found new methods to steal users’ private keys and access their tokens; phishing being one of the most used methodologies.
In fact, actually, phishing is a tool used by attackers to steal any type of information, for example, bank passwords or credit card numbers. That is, it does not only affect the crypto community.
One example is the recent experience of some OpenSea users who experienced a Phishing attack. The attacker sent emails to users posing as OpenSea and tricked them into signing data with MetaMask and stole their funds.
reentry attacks
There are platforms that implement a callback function. This feature is intended to help integrate NFT projects. but, this feature can be exploited by attackers.
A re-entry attack happens when a function makes an external call to another untrusted smart contract. Subsequently, the untrusted contract executes a recursive call to the original function in an attempt to drain the funds.
Scams and money laundering opportunities
Since the NFT industry is in a process of development, and as is often the case in the beginning of any market, attackers and criminals find opportunities to carry out their illegal activities.
In general, Discord is the main platform through which NFT projects execute their marketing strategies along with Twitter to attract the attention of the public.
One of the goals of any NFT project is to sell and attract the public before the mint happens, and that is that users who invest in an NFT collection before the mint, really bet on the future of the project.
Nevertheless, There have been projects that use a marketing strategy to attract the public, but their only objectives are to scam people. An example is Cool Kittens, a project that sold more than 2,200 NFTs for a price of $70 dollars each, and after the sale, they disappeared with the money.
NFT collections that have suffered from vulnerabilities
CryptoPunks
One of the most popular NFT collections ever, experiment a major bug in 2017. After 10,000 Punks were sold, a bug was discovered where the smart contract allowed sales to take place, but no actual payment was received.
This led LarvaLabs, creators of the collections, to relaunch the project with a new and updated smart contract.
meebits
Another collection created by LarvaLabs is Meebits. Each of the NFTs were minted with random traits, but some users figured out how to prefer traits to get exactly the ones they wanted.
This happened because a file was included in the smart contract that showed the characteristics of each Meebit token ID, so if a user started a Meebit mint, they could cancel it if they saw that the token was not rare.
How from the NFTs market an increasingly secure space?
As evidenced, keeping the NFT market safe is a task for both users and project developers and that is, Although the smart contract does not include vulnerabilities, a small error on the part of the user will allow fraudsters to make theirs.
So, what to do?
- The teams behind the NFT collections must instruct on the necessary security measures. That is, enable two-factor authentication, strong passwords and store them off the internet and use a cold wallet.
- Carry out audits of the Smart Contract! A key task on the part of the team behind each NFT collection is to inspect smart contracts for vulnerabilities. And, before launching the project, you need to turn to a smart contract auditing company.
- Adhere to decentralization: A centralized platform is equivalent to storing users’ private keys on the platform. And, consequently, any attack on the platform puts users’ private keys and assets at risk.
Now, more focused on the user, there are some considerations:
- Do not access unknown or strange links! You should always check the links you access carefully to ensure that they are legitimate.
- Before you mint an NFT, be sure to check the address on the contract, it should specify where the NFT was minted.
- The basic rule: If it seems too good to be true, it probably is!
- Always confirm that you are doing the mint on the website of the verified project.
- On Discord, watch out for scammers who write by private message promoting projects.
- No platform will ever ask you for your private keys.
- Be curious! Don’t be afraid to ask project developers questions, question your security and you should prioritize it.
- Thoroughly research the team behind any NFT collection and trace their history.
Is the NFT market extremely insecure?
No. Certainly, NFTs are affected by possible loopholes or vulnerabilities that hackers could find in smart contracts, however, this also applies to Decentralized Finance (DeFi) or any product or service that uses smart contracts.
Likewise, it is relevant to mention an investigation carried out by Daniel Perez and Benajmin Livshits, from Imperial College London, called ‘Smart Contract Vulnerabilities: Vulnerable Does Not Imply Exploited’that is the vulnerability of smart contracts does not necessarily imply that they are exploited or taken advantage of by attackers.
In this sense, the conclusions of the research article is that, de 23,327 vulnerable contracts reported by six academic projects, only 1.98% of them were exploited by attackers pTherefore, only 0.27% of ETH funds that were committed were actually at risk. In this way, Perez and Livshits show that the funds were concentrated in a small number of contracts that are not vulnerable in practice.
final thoughts
Yes, when entering a market such as NFTs, different types of risks are run, however, this is not different from surfing the Internet, using an ATM to withdraw a card in cash, or other activities that we carry out on a daily basis. In other words, every decision carries its risks and its benefits.
Really, the important thing is to know what the risks and vulnerabilities are because, by taking them into account, actions can be taken to reduce the chances of suffering a problem.
In the end, no investment decision should be taken lightly. And, in the case of NFTs, it is essential to assess whether the project performs audits of its smart contracts.
Do not let the vulnerabilities of Smart Contracts affect you in this 2022!
You might be interested in: