Discover the vulnerabilities in smart contracts in non-fungible tokens (NFTs) and learn how to better protect your digital assets.
Are you aware of the potential security pitfalls lurking within NFTs? This article aims to shed light on some common vulnerabilities in smart contracts, which often result in significant losses within the blockchain ecosystem.
We will explore some effective methods to detect and mitigate these potential security threats in the NFT landscape.
Identify and understand vulnerabilities in smart contracts
Smart contracts are the backbone of NFTs, managing the creation, ownership, identification and exchange of unique, irreplaceable digital assets, all without the need for a central authority.
However, these contracts, as revolutionary as they may be, have weaknesses. NFT security vulnerabilities can lead to all kinds of unintended consequences, from asset theft to accidental listings, because they are often targeted by code exploits rather than the NFTs themselves.
Vulnerabilities in smart contracts are usually rooted in high-level coding languages such as Solidity, Vyper or Rust. A single mistake in your Solidity code can give rise to many NFT vulnerabilities.
Furthermore, the problem can be further exacerbated when contracts interact with each other, with a single smart contract vulnerability potentially crashing the entire application or even third parties that depend on it.
Common problems:
Re-entry: This attack occurs when multiple transactions are sent quickly to a smart contract, allowing potential flaws to be exploited by hackers.
Denial of Service (DOS): DOS attacks often involve rendering a function unexecutable by creating an infinite loop or exploiting Ethereum’s gas limit.
Arithmetic overflows and underflows: These errors are related to data processing within the contract and can often lead to significant NFT security issues.
Standard visibility: In Ethereum smart contracts, the default feature visibility is public, leaving room for potential exploitation by malicious actors.
Entropy illusion: This smart contract vulnerability arises when developers incorrectly assume that the block hash function can produce random numbers, which can lead to manipulated results.
Tx.Origin authentication: Using the tx.origin command for authentication can lead to phishing attacks, compromising the smart contract.
Race Conditions: These occur when the outcome of a function depends on the order of transactions, leaving room for possible exploitation.
Case studies
These NFT vulnerabilities have been exploited in multiple real-world cases, resulting in significant losses. Some examples include:
NFT Trader contract compromise: On December 16, 2023, trading site NFT Trader suffered an exploit of two of its older contracts, resulting in the theft of several valuable NFTs, including Bored Apes, Art Blocks, World of Women, and VeeFriends.
The vulnerability in NFT Trader’s contracts was identified by delegation.cash founder 0xfoobar, who urged users of the platform to immediately revoke all permissions associated with compromised contracts.
Security flaw in the common smart contracts library: Towards the end of 2023, Thirdweb, a company specializing in Web3 technologies, discovered a major smart contract vulnerability in a widely used open source library.
This vulnerability reportedly affected off-the-shelf smart contracts such as DropERC20, ERC721, ERC1155, and AirDrop20, potentially compromising multiple NFT collections.
After discovery, Thirdweb started an investigation together with its audit partners. Fortunately, they discovered that this vulnerability had not been exploited in any of their smart contracts.
As part of the fix, the company has addressed the issue, presumably by patching the NFT vulnerability in the library and updating the affected smart contracts to use the updated library.
manipulation of AllianceBlock tokens: In February 2023, ALBT, AllianceBlock’s native token, fell victim to an Oracle hack that resulted in significant price manipulation.
The incident occurred when an operator tampered with an oracle in a smart contract, allowing them to manipulate ALBT prices and generate significant amounts of the Bonq Euro (BEUR) stablecoin. This exploitation led to a huge loss estimated at around $120 million.
According to reports, hackers siphoned off around $5 million worth of ALBT tokens through Bonq’s decentralized lending protocol. In another case, hackers compromised the protocols’ smart contract and manipulated AllianceBlock tokens, sucking approximately $88 million worth of crypto from the system.
The exploit also had a significant impact on ALBT’s value, which fell by 51% immediately after the incident and by more than 65% in the following days.
Omni Re-entry (July 2022): In July 2022, Omni, a platform that operates as an NFT money market, suffered a significant breach due to a reentry vulnerability in its Ethereum contracts, resulting in a loss of $1.4 million.
A security analysis The hack revealed that the attacker was able to extract 1,300 ETH from the platform’s test funds.
Although Omni was quick to point out that no user funds were affected in the incident, the event raised serious questions about the security of blockchain platforms and the measures they need to take to protect against such attacks.
LooksRare DDoS attack (January 2022): Within hours of its launch on January 11, 2022, the Looks rare platform fell victim to a Distributed Denial of Service attack, making the site inaccessible.
Many users reported issues linking their digital wallets and encountered issues listing their NFTs. The LooksRare team acted quickly to restore website functionality, although the wallet connectivity issue remained unresolved for some time.
In each of the above cases, the common denominator was the exploitation of vulnerabilities in smart contracts, ranging from coding errors to design flaws. It highlights the importance of a comprehensive audit of NFT security issues before deploying a smart contract.
Limiting vulnerabilities
Although the crypto ecosystem consists of highly experimental technology, several measures can be taken to improve the security of digital assets.
It is essential that you are aware of the permissions your wallet requires when transacting on a platform and ensure that you do not accidentally grant more access than intended.
For unknown or less trusted platforms, it is advisable to create a new wallet and test the platform with a small amount before transferring larger amounts.
As an additional layer of protection, syncing your browser-based wallet with your hardware wallet can provide an additional opportunity to correct any transaction errors.
Smart contract control
Normal auditing of NFT smart contracts can help identify and address potential vulnerabilities. Companies that specialize in security services in this area can comprehensively review code, analyze vulnerabilities and provide detailed reports.
Bug bounties
After internal audits, an NFT project can initiate a bug bounty program, inviting the public to identify and report vulnerabilities in the contract in exchange for rewards.
Correct project management
Rushing the software process or showing minor carelessness can lead to significant losses. That’s why good project management is crucial to avoid NFT security issues.
The future of smart contracts
Smart contracts are still an evolving field and recent developments have significantly increased their security. Communication systems between platforms are becoming more robust and projects are using accounting firms and AI and bot systems to quickly identify suspicious transactions.
Additionally, post-hack money laundering has become more difficult due to increased law enforcement scrutiny and the imposition of stricter AML and KYC requirements on crypto sector players.
Additionally, the rise of “white-hat” hackers, who help identify vulnerabilities without causing significant losses to platforms, has also contributed to improved smart contract security.
But even with these measures, it is essential to understand that no developer or programmer can claim that their contracts are 100% secure. As such, NFT users should still weigh the risks carefully.