Top 5 NFT smart contract vulnerabilities to watch out for
At its core NFTs are smart contracts, and as such they may contain bugs or errors that may put at risk your investment. Which are the most common ones?
Cover art/illustration via CryptoSlate
The NFT sector has seen several problems since it emerged which made a lot of people concerned that NFTs are not as safe as previously thought. However, the problem does not lie with NFTs themselves.
NFTs are actually smart contracts, and these contracts are subject to vulnerabilities. In their essence, smart contracts are just code, and the more complex the code is, the more room there is for errors to show up. Of course, developers tend to comb their code for errors and vulnerabilities time and time again, but even after extensive search — a flaw or two can still remain and cause problems down the road, especially if bad actors manage to identify them.
This is why security audits should still be carried out, as the code of the smart contracts requires a greater amount of attention. Then, and only then can smart contracts — and to some extent, the NFTs — be adequately secured.
Let’s take a look at some of the more common but still quite dangerous flaws that tend to be present in smart contracts:
NFT token sale vulnerabilities
The first opportunity that bad actors have to use the flaws of smart contracts to disrupt an NFT project is during token sales. One of the most notable examples is the Adidas NFT token sale.
As the sale was underway, an attacker managed to bypass the limits on the maximum purchased tokens for a wallet. As a result, the hacker managed to score 330 NFTs, permanently disrupting Adidas’ otherwise successful debut NFT collection “Into the Metaverse.” All that the hacker had to do to achieve this is remove the limit that said that only two NFTs can be scored per Ethereum wallet.
The next flaw does not necessarily involve the NFTs themselves, but the marketplaces where they can be found. One example of this is OpenSea, the largest NFT marketplace in the world. Not too long ago, OpenSea suffered an attack during which the offending party managed to buy coins at their old price.
This loophole allowed several people to buy valuable NFTs at prices significantly under the tokens’ market value. The most notable project that was affected by this was the Bored Ape Yacht Club, with one of its NFTs (#9991) purchased for 0.77 ETH, only for the attacker to resell it for 84.2 ETH.
Exposed private keys
The third problem that I would like to mention is not specific to NFTs. In fact, it has been a part of the crypto industry ever since there was a crypto industry. It revolves around the safe storage of private keys, which are used for accessing wallets and conducting payments.
Hackers have identified many methods that can be used against uninformed investors to steal their private keys and access their coins and tokens. One of the most commonly used methods is phishing. Once again, OpenSea comes to mind, as it recently suffered a phishing attack, where users thought that they were sending transactions to the network.
Instead, a hacker tricked them into signing the data using MetaMask, and with the help of their signature, the attacker managed to steal their funds.
Another type of attack is known as re-entrancy attack, and this one concerns OpenZeppelin’s most popular NFT standard. Essentially, OpenZeppelin’s most popular implementation of the NFT standard has a callback function.
Essentially, it is a function that is intended to help developers integrate NFTs into projects, but the problem is that it can also be misused for conducting re-entrancy attacks, provided that the code developers were careless enough to forget to provide protection against them. One of the latest examples of this attack happened on February 3rd when a HypeBeast NFT contract reported an attack transaction.
The project had a limit on how many NFTs an account can mint, but the attackers used the callback function to invoke the mintNFT function again.
NFT scams and rugs
There have been plenty of examples of this, such as Cool Kittens, which promised investors an electronic token with cat art, a purpose-built token called PURR, and membership in a DAO. All rather standard promises that plenty of NFT projects have made and delivered on. Cool Kittens, however, did not. Only three weeks after announcing the NFT collection, the minting started, and the NFTs went up for sale. The project exploded, selling over 2,200 NFTs in mere hours, for a price of $70 apiece.
The developers collected $160,000 from a global audience of buyers in crypto, and then they simply disappeared with the money. This is only one example of something that is rather common in the crypto industry, so anyone participating in token sales of any kind should keep it in mind and exercise extreme caution.
The NFT sector provides plenty of opportunities for rather rewarding investments, but it can also be used against investors through a number of different vulnerabilities. This is not always the case, as sometimes, the flaw may lie with the marketplace that sells them, investors who don’t know how to protect themselves, or even with the NFT developers, who wish to scam the community and disappear with their money.
The only way to protect investors from this is for projects to conduct audits of their smart contracts, and for marketplaces to regularly check their systems for bugs and flaws. As for investors themselves, the only thing they can do is exercise caution and work on educating themselves on the threats that they might encounter, and what to do if they do run into any of these or other issues.
Get your daily recap of Bitcoin, DeFi, NFT and Web3 news from CryptoSlate
It’s free and you can unsubscribe anytime.
Guest post by Gleb Zykov from HashEx
Gleb began his career in software development in a research institute, where he gained a strong technical and programming background, developing different types of robots for the Russian Ministry of Emergency Situations. Later Gleb brought his technical expertise to the IT services company GTC-Soft, where he designed Android applications. He moved on to become the lead developer and afterwards, the company’s CTO. In GTC Gleb led the development of numerous vehicle monitoring services and an Uber-like service for premium taxis. In 2017 Gleb became one of the co-founders of HashEx – an international blockchain auditing and consulting company. Gleb holds the position of Chief Technology Officer, spearheading the development of blockchain solutions and smart-contract audits for the company’s clients.