Non-fungible tokens (NFTs), as much as they have become a new way for artists and inventors to interact and claim ownership, have fallen victim to one of the most pressing issues the crypto industry is still experiencing – security.
In this article, we’ll take a look at one of the most “popular” and most devastating cases of security attacks NFT users have had to endure.
The illusion of privacy
The entire philosophy behind blockchain is freedom and anonymity. But if you think about it, anonymity is only nominal. Once you make even a single transaction with another person, they will now be able to see what you have in your “pockets” – what assets you hold, how many of them, and what transactions you’ve been making.
NFTs take this issue to another level since their very idea is to provide proof of who created them and who now owns them, which means that everyone who gets involved with NFTs, in one way or another, has their data exposed to the world.
One vivid example is Jimmy Fallon. During one of his The Tonight Show’s episodes with Paris Hilton as his guest, he showed the Bored Ape NFT he owns, which made it possible to track down his wallet (and someone actually did it) and make his crypto transaction known to the public.
Contracts are smart yet vulnerable
NFTs are built on smart contracts, and smart contracts are written by people (developers), which leaves a place for human error.
One of the notable examples happened in 2017, when one of the most popular NFT projects, CyberPunks, suffered a smart contract bug that prevented the sellers from receiving their Ethereum. This opened up the network to malicious users purchasing the NFTs and retrieving money from the smart contracts.
Marketplaces are supposed to be safe, but they’re not all created equal
The NFT marketplaces are booming, with new projects launching every month, heck, every day. However, as with any other crypto project, security is still one of the main issues for these platforms.
Notwithstanding the fact that these very platforms actually hold users’ NFTs if they decide to leave them there and not transfer them to their choice of storage, defying the very core of the ownership concept, the marketplaces have further proven to be not as secure as they claim they are.
In February 2022, OpenSea, one of the biggest marketplaces, had 245 tokens worth $1.7 million (at the time) stolen in a matter of three hours. The Wyvern Protocol used for NFT smart contracts had allegedly been exploited, leaving users’ accounts vulnerable.
According to the OpenSea CEO, some of the users “signed a malicious payload from an attacker,” but the order details were left blank, giving the attacker the opportunity to fill out the contract details and allowing for the NFTs transfer.
Exploiting crypto wallets
Who doesn’t love free stuff? Everyone does. New projects coming into the crypto space are fighting for the community’s attention, often attracting users with free airdrops, NFTs and other incentives. But sometimes free comes with a price.
Multiple OpenSea users have been complaining about receiving NFTs as a gift, which then resulted in losing control over their wallets. Security experts from Check Point Research (CPR) decided to investigate these complaints and found out how this kind of activity happens.
A hacker creates and sends a malicious NFT to a potential target. The target gets a notification (which looks like a notification from OpenSea) about receiving a gift and asking to connect the user’s wallet. After the user does it, they automatically give access to their wallet to the hacker, which can potentially lead to losing all of their money.
Most notable NFT scams to date
We’ve already mentioned a couple of the biggest scams in the NFT space. Sadly enough, NFTs are vulnerable to all kinds of scams, pump and dump schemes, rug pulls and other malicious actors.
This month alone, OpenSea has experienced one more hack. Multiple users noticed a project promotion on OpenSea’s official Discord, where an OpenSea bot announced that “YouTube is officially partnering with [OpenSea] to bring their community into the NFT space,” encouraging them to “mint YouTube Genesis Mint Pass” via the link. Before the phishing attack was noticed and deleted, 13 users had fallen victim to the scam and got their NFTs stolen, worth $18,000 in total.
— Keyboard Monkey (@KeyboardMonkey3) March 15, 2021
The company claimed the platform had “no indication of compromise,” implying that the hack might have been the users’ fault. “Our analysis is ongoing, but our initial assessment indicates that the impact was limited, none of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials,” the company’s statement reads.
Ironically enough, around the same time, another fishy case took place on another NFT marketplace, this time on Rarible. A user impersonated a famous illustrator Derek Laufman and was trying to sell their illustrations as NFTs. What’s even more ironic, this user was able to verify the account. After several complaints and messages on Twitter, including from the real Derek Laufman, who also learned about it from the social media platform’s users, Rarible disabled the account, but unfortunately, not before some users acquired some of the non-fungible tokens.
This is 100% NOT me. I thought the point of NFT was that the artwork and artists needed to be verified? Apparently super easy to scam people. What a joke that platform is. https://t.co/FrBy4zuhQy
— Derek Laufman (@laufman) March 13, 2021
It’s not only marketplaces that let NFTs users down; celebrities did too. The adult film actor Lana Rhoades has a large social media following thanks to her acting career. She then decided to get into the digital collectibles market and release her own non-fungible tokens collection.
Rhoades promised “a lucrative investment for holders” and said that her main goal was to “increase the value” of her NFTs, adding that she was sure it would “sell out quickly.” She also promised other holder benefits like exclusive future drops, physical merchandise, and direct interactions with her and other “CryptoSis models” in the “metaverse.”
But after the NFTs called CryptoSis were released, in what appears to be a rug pull, the funds from the sales disappeared, and the actress replied to one of the users, writing, “Trust I want nothing to do with the space anymore,” before deleting her Twitter account.
Users’ security is the primary goal for Amberfi. Amberfi protects the community by keeping IP protected with verification, watermarking and audited smart contracts processes.