2021 has been an interesting year for NFTs.
The most expensive NFTs were sold during this time, including Beeple’s artwork, Rarest collections of CryptoPunk, etc. So, the intriguing trait that ties in with the NFTs is the Verifiability and Trustless transfer.
In brief terms, NFT transfers are recorded in the blockchain, making it feasible to acquire information for verifying it as and when needed. And also, blockchain backs the transfers between the buyer and seller of NFTs, making the transactions trustable.
On the downside, NFT security questions the Legitimacy concerns and fraudulent activities. This blog shares all those occurrences in the NFT cybersecurity ecosystem with the related data to cryptocurrency security.
Considering the ease and reliability of the Ethereum blockchain, NFTs operating on it are analyzed to find the operative cryptocurrency security issues.
Key Concepts Covered In This Blog
- Overview of Ethereum blockchain and the functioning of NFTs
- Dissecting the NFT ecosystem into Users, NFT marketplaces, and External entities
- NFT security flaws encountered by NFT marketplaces
- Issues faced with external entities
- Newest NFT threat performed by the users
Working of NFTs on Ethereum blockchain
Ethereum blockchain is the second most adopted blockchain network after Bitcoin. Ethereum’s awareness rose to the point that from hardly 10, 000 users in 2020, it has grown to 4.4 million DeFi users on Ethereum in two years.
Ethereum technology powers its native ETH tokens and many other dapps built on it. Operated on the Proof-Of-Work consensus mechanism, the miners here solve the cryptographic challenges to add blocks to the Ethereum network.
The execution and smart contract deployment is made on the Ethereum Virtual machine to process the operations. Tokens are built on the Ethereum blockchain that can be of two types: Fungible and Non-fungible.
The fungible tokens are usually ERC-20 compliant, whereas Non-fungible tokens are of ERC-721 and ERC-1155 standards. ERC-721 is one of the well-known standards for implementing non-fungible tokens on the Ethereum blockchain.
Breaking Down The NFT Ecosystem
The NFT economy is made of three classes,
- Users who are the buyers and sellers of digital assets
- Marketplaces that act as intermediates for publicizing the assets and driving their sale
- External Entities that provide infrastructure and host services for users and NFT marketplaces
The users of the NFT economy are segregated into three categories as Buyers, Sellers, and Content creators.
- Content creators create digital art but may not be technically strong in converting them to NFTs. Some creators may perform the role of both creating and minting, while others authorize the rights to sellers to convert them as NFTs.
- Sellers mint NFTs and keep them open in the NFT marketplaces for buyers to purchase.
- Buyers bid the NFTs on the marketplace websites and gain ownership of the assets.
The working of the marketplace involves two interfaces:
- Web frontend
This is where the user interacts to purchase NFTs from the sellers or initiate transactions. And for that, the website asks for user authentication to set up accounts for listing NFTs or purchasing digital arts.
- Smart contracts
The transactions happening in the marketplaces interact with the smart contracts to execute activities. Two types of smart contracts exist:
Marketplace contracts: All the activities of the NFT marketplace and its protocol is managed through these contracts.
Token contracts: Concerning the execution of the token transfer, the job is done by token contracts.
All the transactions and token activities are considered Events in the NFT marketplaces. The events are stored either on-chain or off-chain.
- On-chain comprises storing events in the blockchain, which is supposed to cost high gas–fee. Ex: SuperRare, Axie Infinity
- Off-chain involves storing events on off-chain databases, which are gas-friendly. Ex: Nifty
- Hybrid, on the other hand, ties together both on-chain and off-chain, which is verified through a cryptographic check. Ex: OpenSea
In short, Marketplace facilitates User Authentication, Token minting, Token listing, and Token trading,
External entities provide hosting services like IPFS for creators to store their artwork and so on.
CRYPTOCURRENCY SECURITY RISKS ENCOUNTERED BY NFT MARKETPLACES
NFT marketplaces such as OpenSea, Nifty gateway, Rarible, SuperRare, etc., have been studied for security thefts and attacker activities. The following threat for NFT was based on the inferences of the findings.
Identification Verification for user authentication: Approval of personally identifiable information prevents money laundering. But no NFT marketplaces is found to mandate the KYC process, which may result in user creating multiple accounts making them hard to be traced.
Token contract verification: Token contract is considered verifiable upon submitting the source code to Etherscan for public scrutiny to identify any bugs. But none of the marketplaces, including OpenSea, Sorare, and Axie Infinity, makes it mandatory to keep the contract code open-source.
Tampering with metadata: Metadata of token points to the specific asset. So, this metadata stored on third-party domains can be altered, making it susceptible to attacks. It is identified that NFT marketplaces haven’t been undergoing any preventive measures for metadata tampering, thereby being the newest threat for NFT hacks.
Buyer or seller verification: The verified accounts of sellers that hold the badges in their profile gather huge attention from the buyers’ community. NFT marketplaces such as Foundation are strict when it comes to approving seller verification. While others, such as OpenSea, Rarible leaves it to the buyer to find the seller’s authenticity as it doesn’t keep any mandatory requirements presenting a greater threat for NFT scams.
CONCERNS ABOUT EXTERNAL ENTITIES
NFT tokens are ERC-721 compliant, which integrates metadata-URL. Generally, this URL points to where the data is stored. It is either IPFS (decentralized storage), Web domain, or Amazon S3 (centralized storage).
Often, NFTs that point to external domains is exposed to the risk of the domain getting invalidated or unavailable. In this case, the NFTs break, leaving the URL with empty fields.
USER-PERFORMED SECURITY RISKS
Counterfeit NFT creation: Smart contracts store the ownership of the tokens. Thus, to verify the tokens are legitimate, the users are advised to visit the project website.
The instances of Counterfeit NFT creations recorded were,
- The ones where the names or character of the original NFTs is modified.
- NFTs that point to the existing assets by simply duplicating the image_url of the authenticated ones.
These are the newest threat to NFT buyers. There are increased records of counterfeit NFTs circulating because the NFT marketplaces do no stringent verification to check whether the collection or token already exists.
Bid shielding: Users are allowed to make bids on NFTs. In the case of bid shielding, user X bids at a high price so that no user can make any further bids on that NFT. The user X then withdraws his bid while taking away the NFT for the lowest price.
Wash trading: In wash trading, the creators and sellers of the NFT artificially inflate the price of the assets to seek the attention of buyers. For example, high-value projects such as CryptoKitties and Decentraland are suspected of wash trading, adding spice to cryptocurrency security.
The events of security breaches often lead to huge financial losses.
Identifying the threat of NFT is the first step to rectifying it. Auditing companies do it to the best. QuillAudits, in that way, is making an active contribution to NFT and cryptocurrency security, making the decentralized space more trustable and user-friendly.