twimbit insights
Learn, ideate, and collaborate on the biggest innovation opportunities

Security risks in the NFT ecosystem


NFTs have gained attention in the past year, especially with million-dollar sales headlines. Large companies ranging from Coca-Cola, Nike, Adidas, and even football outfit Paris Saint Germain (PSG) have already experimented with NFTs. We expect this trend to continue and enterprise adoption to be a key theme for NFTs moving forward in the coming years, especially as they set a precedent for use cases.

When discussing mass NFT adoption, enthusiasts often face adamant public backlash on security vulnerabilities and hackers exploiting this nascent technology. NFTs are supposed to inherit the robust security features from the underlying blockchain technology, but how have hackers been able to exploit loopholes and steal millions of dollars from the ecosystem?

While many blockchain experts and Twitter threads are busy explaining the logic of different hacks and malicious methods perpetrators use, the transparent nature of the blockchain stands out like a sore thumb. A distributed, public ledger seems like a good idea to drive away malicious activity since everyone, including the authorities, has access and can view every single transaction that ever happens. Unfortunately, this has not been the case. NFT related hacks and scams still occur daily, with users losing millions of dollars.

While it’s easy to put on our detective hat and use blockchain explorers to dive through hundreds of transactions to investigate how different security exploits happen, we have to step back and ask ourselves – are NFTs as secure as they say?

Therefore, we want to explore the security risks users, and enterprises need to know about in the NFT ecosystem and suggest ways to navigate this crucial area of NFT development.

Security risks of NFTs

To understand the security concerns behind NFTs, we need to look at what goes under the hood of an NFT. The NFT tech stack we presented in our recent report “Uncovering the Global NFT Market” gives readers an in-depth view of what makes up an NFT. These pieces enable NFTs to function more than a transaction record and tokenise digital files into digital assets on the blockchain.

Source: Uncovering the Global NFT market report, twimbit

Storage limits on the blockchain, a risky shortcut to storing assets

One security risk area often discussed is the “digital link” component. A digital link is a connection to something, in this case, to the NFT metadata.

The NFT metadata:

  • Is a JSON file that provides descriptive information about an NFT including the
  • name, picture, description, and information on additional traits
  • can be stored both on or off-chain
  • either embedding it directly into the smart contracts representing the NFT or hosting it completely separately (off the blockchain).

NFTs do not store the image or media file on the blockchain. In contrast, an NFT is merely a token to provide proof of ownership and stores very little data, only URLs that point to the metadata. This means that the images of apes or rocks in the news are not the actual NFTs. The real asset, image or art is still a link away. (Think of NFTs as land deeds and not the actual land itself)

Most NFT projects store their metadata off-chain because the current storage limitations on Ethereum make it very costly (1MB of data costs appx. US$ 17,100). However, with the ERC-721 token standard, developers can call the function tokenURI to find the metadata of an NFT. Hence, the current solution is to store web addresses or uniform resource indicators (URIs) in NFTs that lead DApps to the metadata instead.

So what is the security issue? Everyone knows that links on the Internet can break, and 404 errors can be costly in the NFT world. The problem is these links point to metadata stored off-chain, hosted on centralised servers, or cloud storage operated by Web 2.0 companies such as Amazon Web Service (AWS).

  1. Developers can change the metadata at any time, meaning there’s a chance that your NFT will look different than when you bought it.
  1. If the original hosting solution shuts down or is compromised, your digital assets are likely at risk of disappearing.

Consequently, this leaves NFT buyers vulnerable, relying on the third party that currently hosts the file or image to stay in operation.

Imagine buying an NFT for thousands or even millions of dollars and having it link to an empty web page in a few years. How would you then prove what it is you own through an NFT?

The senior editor of The Verge, Jacob Kastrenakes, highlights two critical scenarios that NFT buyers could end up in. First, when buyers own an NFT with a broken link, yet the trust-based NFT community generally understands what it represents — say, an expensive photo of an ape that gives you exclusive access to parties and events. As long as the image exists somewhere globally, the NFT would retain its value. Second, when the picture goes missing and the NFT ties to a blank page. In that case, it is hard to judge how the NFT with missing art would have any value, just like how you can’t sell a burnt painting.

Smart contract risks

Another critical aspect of NFTs is smart contracts, which are lines of codes on the blockchain that govern the transaction of an NFT. Smart contracts enable the programmability of an NFT and are responsible for automating the execution of logic designed in every transfer of ownership. Smart contracts are like digital vending machines. Once a smart contract fulfils its pre-determined conditions (in a vending machine’s case, money and choice of drink), a specific output is automatically executed or guaranteed (similarly, the chosen can of drink drops out).

One of the function of smart contracts in NFTs is to attach automated royalty collection on secondary sales. This means that whenever an NFT is sold and transferred, a specified percentage of the proceeds will go to the original creators without the oversight of an intermediary.

The risks? These smart contracts are developed mainly by programmers and reused for multiple NFT projects. And, it’s not illegal because these codes written in Solidity are open for everyone to view and use. For example, several projects have used similar smart contracts from the blue-chip NFT project, Bored Ape Yacht Club (BAYC). However, this copy-cat trend introduces your NFTs to developer risks and possible human errors that may result in malicious or even vulnerable smart contracts that are targets for hackers.

Examples of smart contract risks:

  • Consider the case of OpenSea’s recent attack in which hackers were able to exploit a loophole in their smart contracts update that resulted in users losing their NFTs. Due to the smart contract protocols used by OpenSea, the hackers were able to run a phishing attack, stealing NFTs worth up to $1.7 million. The attacker disguised as OpenSea’s representative convinced users to sign smart contracts, which automatically triggered the transaction to transfer assets from their wallets to the attacker’s wallet. Other instances also saw BAYC owners unknowingly sell their NFTs at prices significantly below their market value, then reselling for huge profits later.
  • Another interesting example is related to the recently acquired, Cryptopunks, which had faced the consequences of smart contract vulnerabilities back in 2017, when NFTs were not as popular. The smart contract contained a bug that prevented the transfer of ETH (the native token of Ethereum) into the project’s wallet. Attackers exploited the vulnerability by purchasing the NFTs and taking back the money from the smart contract, essentially making a refund without returning the NFTs. This event led to Cryptopunks having the relaunch with a new smart contract.
  • A more recent example, The Sevens NFT collection, launched in September 2021, also faced a smart contract issue during their mint. All users had to go through the collection’s smart contract, which only allowed 1 NFT per user in the first seven minutes of the mint and seven NFTs per transaction later on. However, one user created their own smart contract that bypassed the timestamp condition of the original smart contract, and successfully minted 1,000 NFTs at meager costs compared to what others paid for. This completely threw the pre-sale into chaos, but the user, 1ethSHOP, was willing to return 500 minted NFTs to the project team to be redistributed.
  • Last but not least, Meebit, a collection of 3D avatars, had an attacker manipulate the rules of its smart contract to mint several NFTs and revert the NFTs with less desirable traits while continuously ‘rerolling’ the mints until the smart contract contained a valuable NFT. As a result, the individual was able to mint and sell a rare NFT for over US$700k while spending US$20k in transaction fees.

How do we manage the risks?

Decentralised storage

Most projects turn to a decentralised file storage system called IPFS or InterPlanetary File System to solve the blockchain NFT storage problem. The decentralised file storage system runs on a network of computers that keep copies of the digital files, preventing a single point of failure and giving buyers more control as they can pay to keep files available on the network.

IPFS addresses are URIs that link to images, videos and other media represented by an NFT. This ensures the integrity of the NFT data as IPFS links cannot be tampered with or altered to form a different data than the one created. However, the files need to be actively available on the network for the system to work, as no single host carries the responsibility for the files stored on IPFS. Artworks from significant artists such as Grime, deadmau5 and Steve Aoki were temporarily missing but later returned online.

The ”ipfs://” scheme makes data retrieving easy as long as a node hosts the file somewhere on the network. Services like Pinata and Filecoin further simplify the processes by consolidating deployment and management of IPFS nodes while incentivising them to host files. Next, the content identifier (CID) is a digital label that points to the specific files (not their location). It ensures the integrity of the metadata by referencing the hash of the file.

This is why choosing reliable storage solutions for NFTs is essential. You may store your digital assets on the blockchain, but their existence depends on the longevity of centralised servers and the companies running them. The other option is the Web 3.0 route, using decentralised networks to store the underlying media and files while the NFTs live freely on a decentralised public ledger.

Smart contract audits

To avoid incidents like the ‘The Sevens project’ incident, auditing smart contracts before going live is a great way to avoid being victims of malicious exploits. Smart contract audits are essentially detailed inspections of smart contracts that interact with the blockchain, run by companies like Consensys Diligence and runtime verification. The process involves running tests and manual code analysis using automated bug detection and analysis tools. It is carried out to uncover errors, issues and security vulnerabilities in the code before debugging them.

Verification of smart contracts is a complex process. They often involve third-party system integration, which warrants expanding these checks to other smart contracts, even those they interact with. The process of auditing smart contract usually goes through several steps:

  1. Firstly, the team and the auditors agree on the scope and specification of the audit, involving the design, purpose, and architecture of the smart contracts.
  1. Auditors then test individual functions by matching their purpose and execution, followed by integration testing.
  1. To finish, auditors do the arduous task of manually sifting through the codes to understand the intentions and interpret findings in the context.

NFT projects and marketplaces cannot be too careful because smart contracts often manage assets with huge valuations, and a single vulnerability can cause severe damage. Hence, at the end of the audit, smart contract auditors would usually produce a final report that measures the authenticity and integrity of the project and its corresponding smart contract, just like an actual world company audit. Also, project owners would receive recommendations on possible fixes and how to improve the overall security and design of the smart contract.

While DeFi applications were the first to implement smart contracts for complex transactions, the rise of NFT projects has tempted teams to push out bug-filled smart contracts to meet investor demand and not feel FOMO. Smart contract audits are an excellent way for both projects and marketplaces to protect their users and themselves. At the same time, investors can use the willingness of projects to engage in an audit to vouch for their commitment to building safe and secured projects using bug-free smart contracts.

Community awareness

Lastly, the most underrated way to stay safe in the NFT ecosystem (or any digital realm) is to be informed. While the novel technology improves, current processes and frameworks are not good enough to guarantee users’ security and private keys. Transactions can only be done using a signature from a private key-public key pairing; thus, protecting private keys is the most critical concept to prevent any security woes.

Private keys storage by centralised NFT platforms is questionable at best, as they risk hacks stealing users’ assets. Users need to know that even though platforms practice the highest level of security measures, there is a severe possibility that malicious actors will find a way to break in and steal private data – meaning access to users’ wallets and their NFTs. Using zero-trust frameworks that use identity confirmation rather than assumption can limit users with access to NFTs.

Nifty Gateway teaches us an excellent example. This NFT marketplace witnessed hackers steal digital art from their users’ accounts and use their credit card details to purchase additional NFTs and transfer them to their accounts. Some hackers even changed account passwords that did not have a two-factor (2FA) authentication feature enabled, as the hackers obtained access via valid account credentials. It’s important to note that social engineering hacks still exist in the NFT space as they take advantage of weak security by platform users.

This brings up the main point of being aware of these security risks. Education on how NFT fraud, scams, and hacks work is necessary to prevent users from being victims. While understanding these may be a little tricky, there are tons of resources and many helpful users in the community. Generally, the goal of malicious actors is to get users’ private keys and access their digital wallets, performed through impersonations, phishing, and other already rampant methods in the industry.

In response, here are a few recommendations on how to secure your NFTs:
  1. Always use multi-factor authentication
  1. Invest in cold wallets
  1. Double-check contracts
  1. Never click on random links
  1. Use VPN services

User error plagues most of these exploits — the negligence of users and developers who were not fully aware of the blockchain mechanics, which hackers unfortunately exploited. And while the NFT ecosystem is still new, it is up to us to protect ourselves and our digital assets by being aware and always DYOR (do your own research), much like in the real world.

Analyst takeaways

Despite the dark horrors of NFT security, we believe it’s essential to understand how NFTs have enabled the decentralised transfer of value on the Internet. We should not view its security risks differently from the current ecosystem running Web 2.0 solutions.

The majority of NFT scams and security concerns are not related to the blockchain itself but the layers built on top of it. We have a rush of the best talent globally working on closing these gaps. If in the case that future blockchain networks or improvements allow users to store their files directly on the blockchain, only then can we view NFTs with a sure guarantee that the digital assets are safe on the blockchain.

And while smart contract continues to be a key component of NFTs, developers will need to continue in their pursuit to improve and keep smart contracts bug-free and safe from hackers. We believe that there is no one perfect smart contract for every occasion, but it’s essential to have a standardised set of best practices in the industry.

While security risks are a big deal, they are another item on the list of emerging risks involving intellectual property, legal rights, securities regulation, etc. Tackling NFT security will undoubtedly go a long way in driving mass adoption, but with NFT scams and hacks taking up headlines, the ecosystem is nowhere near achieving a safe place where both NFTs and their users can call home.

Additional Reading:


2. a