The Security and Authenticity of NFTs

10 Jun 2024

Non-fungible tokens represent an exciting new development in the world of digital assets that has a lot of people excited. Among those people are hackers who thus far have been successful in exploiting a range of vulnerabilities.

From the very beginning, it sounded suspicious. The auction was offering an NFT from a famous artist - Banksy - who had never sold his work as an NFT before. The buyer - who goes by the name Pranksy - thought it might be a golden opportunity, especially since the NFT appeared to be legit because it linked to the artist’s website. When Pranksy’s bid, which was for more than $300,000, was immediately accepted, he knew it was a fraud. And he was right.

While scams in the world of Non-fungible Tokens (NFTs) are not uncommon, this one stood out because of its intriguing ending. The money that was stolen through the scheme was returned to the buyer. When asked in an article that appeared last September in The Guardian what might have motivated the scam, Pranksy suggested the fraudster might have been trying to expose “the vulnerabilities… with validation within NFTs.”

Chinks in the Blockchain

As the story of the phony Banksy illustrates, there are vulnerabilities when it comes to the security and authenticity of NFTs. Considering that Pranksy is a seasoned NFT collector - in fact, he is said to have the largest NFT collection in the world - and that he was fooled shows just how important it is for the rest of us to advance with caution into the world of NFTs.

Because NFTs are built on blockchain technology, the assumption is that they are secure and their ownership is authenticated. Because of their reliance on the immutable, decentralized, and hack-resistant blockchain, NFTs have been proclaimed as the long-awaited solution for authenticating digital assets.

To be fair, many of the scams that have successfully targeted NFTs have relied on user errors rather than technology errors. Still, there are examples that show that technology is not ironclad. Here are some thoughts on the top concerns in the area of NFT security and authenticity.

Smart Contract Exploitation

CryptoPunks called it a “bug.” A more technical explanation is that there was a vulnerability in the smart contract associated with some of their NFTs that allowed people to purchase them on the secondary market without delivering any payment.

Because NFT smart contracts play a key role in establishing ownership, especially when NFTs change hands, any vulnerabilities can be exploited to sidestep the proper course of action that the contract stipulates. The CryptoPunks bug revealed the importance of proper testing for smart contracts. Creating more secure smart contracts will definitely be a priority for developers as the NFT market matures.

Marketplace Hacking

Blockchain may be decentralized, but NFTs are most often bought and sold on centralized NFT platforms that can be targeted by hackers just like any other platform. In March 2021, the Nifty Gateway platform was hacked, resulting in the theft of thousands of dollars in NFTs as well as user credit card info that was used to buy more NFTs.

Nifty Gateway clarified that it was not the platform that was hacked, but user accounts on the platform. While there may be a difference, either way, it illustrates that engaging in the purchase or sale of NFTs through a marketplace platform introduces security vulnerabilities.

Lack of User Vigilance

Once you have purchased an NFT with a secure contract from a secure marketplace, your final task is storing it in a secure location, which has proven to be one of the most challenging aspects of establishing NFT security. Because NFTs must be stored in a personal wallet protected by a personal password, the same scams that are used to hack into email or social media accounts can be used effectively to gain illicit access to NFTs if users are not careful.

Multi-factor authentication (MFA) systems are the most frequently recommended security measure for keeping passwords safe.

Rather than just requiring a password, which can be easy to guess or obtain through schemes like phishing, pretexting, and baiting, multi-factor authentication systems will require that the person seeking access have knowledge of something like a password as well as possession of something like the user’s phone, to which an authenticating message can be sent.

Another highly recommended security measure is storing NFTs in cold wallets, which keeps NFTs offline, rather than in hot wallets, which provide online storage and which are vulnerable to hacking.

When users resist implementing advanced security measures like MFAs or cold wallets, it is often because of the inconvenience that they present. For digital natives, the idea of keeping NFTs in a cold wallet that is offline and not immediately accessible sounds like stepping back in time a decade or more. If that is how you see it, keep in mind that NFTs are a new technology that has proven to be vulnerable. If Pranksy can be scammed, anyone can.