Blog

The NFT Ecosystem And Related Security Risks

NFT ecosystem

Table of Contents

Read Time: 6 minutes

2021 has been an interesting year for NFTs. 

The most expensive NFTs were sold during this time, including Beeple’s artwork, Rarest collections of CryptoPunk, etc. So, the intriguing trait that ties in with the NFTs is the Verifiability and Trustless transfer. 

In brief terms, NFT transfers are recorded in the blockchain, making it feasible to acquire information for verifying it as and when needed. And also, blockchain backs the transfers between the buyer and seller of NFTs, making the transactions trustable. 

On the downside, NFT security questions the Legitimacy concerns and fraudulent activities. This blog shares all those occurrences in the NFT cybersecurity ecosystem with the related data to cryptocurrency security. 

Considering the ease and reliability of the Ethereum blockchain, NFTs operating on it are analyzed to find the operative cryptocurrency security issues. 

Key Concepts Covered In This Blog

  • Overview of Ethereum blockchain and the functioning of NFTs
  • Dissecting the NFT ecosystem into Users, NFT marketplaces, and External entities
  • NFT security flaws encountered by NFT marketplaces
  • Issues faced with external entities
  • Newest NFT threat performed by the users

Working of NFTs on Ethereum blockchain

Ethereum blockchain is the second most adopted blockchain network after Bitcoin. Ethereum’s awareness rose to the point that from hardly 10, 000 users in 2020, it has grown to 4.4 million DeFi users on Ethereum in two years. 

Ethereum technology powers its native ETH tokens and many other dapps built on it. Operated on the Proof-Of-Work consensus mechanism, the miners here solve the cryptographic challenges to add blocks to the Ethereum network.

The execution and smart contract deployment is made on the Ethereum Virtual machine to process the operations. Tokens are built on the Ethereum blockchain that can be of two types: Fungible and Non-fungible. 

The fungible tokens are usually ERC-20 compliant, whereas Non-fungible tokens are of ERC-721 and ERC-1155 standards. ERC-721 is one of the well-known standards for implementing non-fungible tokens on the Ethereum blockchain. 

Breaking Down The NFT Ecosystem

The NFT economy is made of three classes,

  • Users who are the buyers and sellers of digital assets
  • Marketplaces that act as intermediates for publicizing the assets and driving their sale
  • External Entities that provide infrastructure and host services for users and NFT marketplaces

Users

The users of the NFT economy are segregated into three categories as Buyers, Sellers, and Content creators. 

  • Content creators create digital art but may not be technically strong in converting them to NFTs. Some creators may perform the role of both creating and minting, while others authorize the rights to sellers to convert them as NFTs.
  • Sellers mint NFTs and keep them open in the NFT marketplaces for buyers to purchase.
  • Buyers bid the NFTs on the marketplace websites and gain ownership of the assets. 

Marketplaces

The working of the marketplace involves two interfaces:

  • Web frontend 

This is where the user interacts to purchase NFTs from the sellers or initiate transactions. And for that, the website asks for user authentication to set up accounts for listing NFTs or purchasing digital arts. 

  • Smart contracts

The transactions happening in the marketplaces interact with the smart contracts to execute activities. Two types of smart contracts exist:

Marketplace contracts: All the activities of the NFT marketplace and its protocol is managed through these contracts.

Token contracts: Concerning the execution of the token transfer, the job is done by token contracts. 

All the transactions and token activities are considered Events in the NFT marketplaces. The events are stored either on-chain or off-chain.

  • On-chain comprises storing events in the blockchain, which is supposed to cost high gas–fee. Ex: SuperRare, Axie Infinity
  • Off-chain involves storing events on off-chain databases, which are gas-friendly. Ex: Nifty
  • Hybrid, on the other hand, ties together both on-chain and off-chain, which is verified through a cryptographic check. Ex: OpenSea

In short, Marketplace facilitates User Authentication, Token minting, Token listing, and Token trading, 

External Entities

External entities provide hosting services like IPFS for creators to store their artwork and so on. 

CRYPTOCURRENCY SECURITY RISKS ENCOUNTERED BY NFT MARKETPLACES

NFT marketplaces such as OpenSea, Nifty gateway, Rarible, SuperRare, etc., have been studied for security thefts and attacker activities. The following threat for NFT was based on the inferences of the findings. 

Identification Verification for user authentication: Approval of personally identifiable information prevents money laundering. But no NFT marketplaces is found to mandate the KYC process, which may result in user creating multiple accounts making them hard to be traced. 

Token contract verification: Token contract is considered verifiable upon submitting the source code to Etherscan for public scrutiny to identify any bugs. But none of the marketplaces, including OpenSea, Sorare, and Axie Infinity, makes it mandatory to keep the contract code open-source. 

Tampering with metadata: Metadata of token points to the specific asset. So, this metadata stored on third-party domains can be altered, making it susceptible to attacks. It is identified that NFT marketplaces haven’t been undergoing any preventive measures for metadata tampering, thereby being the newest threat for NFT hacks. 

Buyer or seller verification: The verified accounts of sellers that hold the badges in their profile gather huge attention from the buyers’ community. NFT marketplaces such as Foundation are strict when it comes to approving seller verification. While others, such as OpenSea, Rarible leaves it to the buyer to find the seller’s authenticity as it doesn’t keep any mandatory requirements presenting a greater threat for NFT scams.

Feature Specification On Various Marketplaces

CONCERNS ABOUT EXTERNAL ENTITIES

NFT tokens are ERC-721 compliant, which integrates metadata-URL. Generally, this URL points to where the data is stored. It is either IPFS (decentralized storage), Web domain, or Amazon S3 (centralized storage). 

Often, NFTs that point to external domains is exposed to the risk of the domain getting invalidated or unavailable. In this case, the NFTs break, leaving the URL with empty fields.

USER-PERFORMED SECURITY RISKS

Counterfeit NFT creation: Smart contracts store the ownership of the tokens. Thus, to verify the tokens are legitimate, the users are advised to visit the project website. 

The instances of Counterfeit NFT creations recorded were,

  • The ones where the names or character of the original NFTs is modified. 
  • NFTs that point to the existing assets by simply duplicating the image_url of the authenticated ones.

These are the newest threat to NFT buyers. There are increased records of counterfeit NFTs circulating because the NFT marketplaces do no stringent verification to check whether the collection or token already exists. 

Bid shielding: Users are allowed to make bids on NFTs. In the case of bid shielding, user X bids at a high price so that no user can make any further bids on that NFT. The user X then withdraws his bid while taking away the NFT for the lowest price.

Wash trading: In wash trading, the creators and sellers of the NFT artificially inflate the price of the assets to seek the attention of buyers. For example, high-value projects such as CryptoKitties and Decentraland are suspected of wash trading, adding spice to cryptocurrency security. 

Bottom Line

The events of security breaches often lead to huge financial losses. 

Identifying the threat of NFT is the first step to rectifying it. Auditing companies do it to the best. QuillAudits, in that way, is making an active contribution to NFT and cryptocurrency security, making the decentralized space more trustable and user-friendly. 

575 Views

Related Articles

View All

Leave a Comment

Your email address will not be published.

Trending

🧵..

⚠️⚠️

Binance Smart Chain was compelled to suspend operations on Thursday due to a "potential exploit". The attacker moved over half million in cryptocurrency from the @binance -linked blockchain.

↓↓

⚠️⚠️

In one of the protocol's lending pools, an exploiter escaped with over 44 RBTC by employing a price manipulation method.

#cyberattacks

🧵..
↓↓

We request BSC Validators to get in touch with us within the next few hours so that we can plan a node upgrade.

We'd like to thank the community again for their continuous support.

⚠️⚠️

A spammer has caused havoc for Zcash node operators by filling transaction Blocks with a large number of shielded transaction outputs. Many believe this is a FUD designed to draw attention.

#cyberattacks

🧵🪡..

↓↓

🧵..

[MUST KNOW] Security Tips for Web3—

Don’t ever think it can’t happen to you🚫!

Don’t Rush⚡

In crypto, we all like to move fast, grab the most hyped thing to shell out millions in a minute.

But at the same time, we forget that we are the most vulnerable ones as well.

Load More

90 Types of Crypto Worth $160M Stolen 🚨

It was observed from the Omni bridge source code that the logic to verify chainID was present, but the verified chainID used in the contract was pulled from a value stored in the storage named uintStorage.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+