The rising popularity of Non-Fungible Tokens (NFT) has skyrocketed its market demand since the past year. NFTs are now new victims of cybercrime due to their rapid expansion. Scammers and fraudsters work to devise increasingly inventive ways to game the system and profit greatly. Hackers steal tokens and money using more advanced technology despite its originality and security architecture.
In the world of NFTs, fraud takes many forms, including phishing, selling false art, converting real works of art without the artists' permission into NFTs, smart contract vulnerabilities, etc. It is best to be aware of potential weaknesses while creating and managing your own NFT marketplace. In our previous blog posts on NFTs, we discussed Security issues with NFTs and how the next generation of dynamic NFTs is revolutionizing many business processes. In this blog post, we highlight the risks to NFT Smart Contracts. We've compiled a list of NFT hacks due to smart contract vulnerabilities and preventive measures to safeguard your NFT Smart contracts.
NFTs are distinct cryptocurrency tokens controlled by a blockchain. Since each NFT contains a code, a unique ID, and other metadata that no other token can match, the blockchain serves as the decentralized ledger that tracks its ownership and transaction history.
NFT creation can be carried out through contract-enabled blockchains using the proper resources and assistance. The tokens' smart contracts enable the addition of specific information, such as the owner's identity, among other things. Non-fungible tokens operate on the Ethereum blockchain and other compatible blockchains using the ERC721 standard or a modified version known as ERC1155. However, there are NFT standards on other blockchains, including Metaplex's Solana standard, FA2 on Tezos, TRC-721 on Tron, and Cardano's use of PolicyIDs and metadata for native NFTs.
In reality, NFTs are smart contracts, and smart contracts are prone to flaws. Smart contracts are codes; the more complicated the code, the more room for errors to appear. Of course, developers frequently check their code for mistakes and vulnerabilities. However, even after a thorough search, a weakness or two may still exist and lead to issues in the future, especially if malicious hackers can find them. We are listing some of the NFT smart contract vulnerabilities that were the reasons for past cyber heists.
Token sales are the first chance for hackers to sabotage an NFT project by exploiting smart contracts' weaknesses. The Adidas NFT token sale is among the most notable instances.
The hacker could get around the limits on the maximum acquired tokens for a wallet as the sale was going on by deploying a custom smart contract a few hours before the minting. The hacker just needed to remove the restriction that said that only two NFTs could be scored per Ethereum wallet to accomplish this, and he could score 330 NFTs.
The next issue will likely be with the markets where NFTs are sold. The biggest NFT market in the world, OpenSea, serves as one illustration of this. A recent attack on OpenSea resulted in the attacker being able to purchase coins at their previous value.
Due to this flaw, several users could purchase valuable NFTs at prices much lower than the tokens' market value. The Bored Ape Yacht Club was the most noteworthy project impacted by this; one of its NFTs (#9991) was purchased for 0.77 ETH, but the attacker later sold it for 84.2 ETH.
Another instance is Treasure Marketplace, a platform for NFTs and metaverse games on the Aribitrum blockchain, which had an exploit in March 2022 after many hackers discovered a way to get NFTs for nothing. Exploiters could still buy NFTs (for $0) when setting the amount to zero since the market smart contract check to ensure the requested number of NFTs was above zero failed. This exploit was used to buy 154 NFTs, almost all of which were returned after the problem was fixed.
Another kind of attack is known as a "re-entrancy attack." It's a function that makes it easier for developers to incorporate NFTs into projects. Still, the problem is that hackers may also use it to launch re-entrancy assaults if the code writers were negligent in including defenses against them. A HypeBeast NFT contract reported an attack transaction on February 3rd, one of the most recent instances of this attack.
The project included a cap on the maximum number of NFTs a single account could mint, but the attackers used the callback function to call the mintNFT method again.
Any artificial activity that significantly alters the supply or demand of an asset is referred to as price- or market- manipulation. A more specialized type of market manipulation is wash trading, in which people sell their own NFTs to themselves at artificially inflated or deflated prices. Wash trades are thought to account for about 2% of total NFT-related trading, according to studies.
The NFT market is particularly vulnerable to manipulation since prices are highly influenced by district involvement and influencer skills. Wash trading is also fairly straightforward to cover up, as manipulators can buy and sell their own NFTs using various wallets that appear unrelated to one another and are financed from multiple sources.
In one of the recent hacks, a user purchased five Axie Infinity "Terminator" NFTs for over $4,000 and sold all five for about $2,000, losing half of their initial investment in less than twelve hours. These five NFTs have never since been sold again. The user created additional NFTs for the Fox Game Official collection, transferred them to other users, and then sold the other user's NFTs for a few thousand dollars in profit.
According to Elliptic analysis, the user has a significant incoming exposure to the Axie-Ronin Bridge and an outgoing exposure to Tornado Cash.
The NFT industry offers many potential, but hackers can also exploit it due to various vulnerabilities. This is not always the case, however, since there are occasions when the problem may be with the marketplace that offers them, with investors who are unaware of their rights, or even with the NFT developers who want to defraud the public and vanish with their money.
These NFT projects must audit their smart contracts with products such as the BlockChainSentry VM system, and marketplaces must routinely test their systems for vulnerabilities and flaws to safeguard investors from this. As for the investors, there is little they can do but proceed cautiously and educate themselves on potential hazards and how to avoid them. For audits and audit scanners, a leading contact is firstname.lastname@example.org.