Common Security Flaws around NFT Projects & How to Protect Against Them
7 min read
NFT projects are becoming a staple in the cryptocurrency space and are likely here to stay. As more creators, collectors, brands, and industries explore NFT utility and the digital art world, it is critical to build and enable secure platforms across NFT ecosystems. This guide will touch on recent hacks in the NFT space, risks to NFT communities and smart contracts, and security best practices for NFT projects.
NFTs are not different from any other store of value in that they attract nefarious behavior. The same attributes that attract NFT creators, collectors, and community projects are why NFTs are attractive to hackers. The majority of the successful hacks that have taken place have mostly involved attackers being able to take advantage of loose security measures. Let’s take a look:
Hackers stole thousands worth of artwork from user accounts. Nifty indicated that their platform had not been compromised and these were users that did not have 2FA enabled on their accounts.
Scammers were able to hack into the Twitter account of famous digital artist Beeple. The attackers tweeted out an official minting link to a raffle promising a free mint to 200+ pieces. Once user wallets were connected, they were emptied and attackers were able to steal approximately $400k worth of crypto assets.
Bored Ape Yacht Club
The popular NFT project’s Instagram was hacked and attackers sent a phishing post with a link to connect wallets to a fake smart contract. Once connected, wallets were wiped for crypto and NFTs. Four Bored Apes were compromised as well as other assets for a total of around $3 million.
The marketplace was subject to phishing scams as well as an attack that exploited a loophole that allowed users to purchase NFTs at much lower prices than the NFT’s actual market value.
Smart contract flaws were exploited by bypassing the limits on the maximum purchased tokens for a given wallet. An attacker was able to collect 330 NFTs by simply removing the limit that only allowed two NFTs to be collected per wallet
One of the largest Solana NFT marketplaces had to pause their platform and services due to two major rug pulls that resulted in hundreds of thousands being lost. Two projects, King of Chess and Balloonsville were behind the scams. Magic Eden refunded the minters of both projects and is taking action to prevent future rug pulls.
Security Flaws in an NFT Community
You may be surprised to know that NFT security does not completely take place on the blockchain. Many of the recent NFT hacks highlighted above were a result of compromised credentials, poor security hygiene, and phishing attempts.
If you are managing a community for an NFT project, it can be quite the challenge, especially when you are responsible for multiple social media accounts such as Twitter, Instagram, Discord, Telegram, and others. All of the accounts associated with your NFT project are subject to scams and social engineering attacks, and all the users associated with each account (followers, groups, etc.) are targets for various scams such as phishing, token copies, airdrops, and rug pulls.
Common NFT scamming mechanisms that can be directed towards an NFT community:
Malicious tokens can often be disguised as popular tokens and due to price volatility, the value can fluctuate dramatically, resulting in extreme losses.
These are similar to a pyramid scheme where the creator of a token will hype up a project and quickly invest a lot of money to create fast growth. Once the value is reached they will pull the funds making the project/token worthless.
These typically happen around the project launch and tokens may be gifted to users instead of purchased. A common set up is that tokens won’t swap when you attempt an action and the user will be re-routed to a website that asks for personal information, seed phrases, private keys, etc.
These are phishing and spear phishing attacks launched against the community to click on malicious links or attachments. These can also be launched against the account owners/admins in order to get them to reveal sensitive information (passwords, seed phrases, etc.) to be able to take over the accounts.
Even advanced crypto and technology users can be susceptible to threat actors, scams, malware, device compromise, account compromise, and loss of assets and funds.
Tips to Secure Your NFT Project
Security is hard, but there are a number of best practices you can implement as a community manager or smart contract developer to increase the security posture of your NFT project.
Staying educated and aware of the digital landscapes that you interact with most often will allow you to adapt and avoid scams. Scammers will target common crypto platforms and mediums such as Twitter, Discord, Telegram, Metamask, and OpenSea to try and facilitate scams and account takeovers. Email is the most common vector used for phishing campaigns. Official support accounts will never ask for seed/recovery phrases or private keys.
Passwords & 2FA Protection
- Protect your passwords via a password manager.
- Generate complex and unique passwords (this can also be done via a password manager)
- Avoid storing any passwords in a web browser, especially for browser-based wallets.
- Enable 2FA on every account, especially if you are an account admin.
- Avoid SMS/Email authentication if possible and use app-based 2FA.
- Verify sender email addresses before replying, clicking, or sharing any information.
- Protect your seed/recovery phrase for any wallets tied to a project.
- Keep seed/recovery phrases offline and make more than one copy.
- Split the phrase in half and store it in two separate locations.
- Use a secure hardware wallet and balance your funds between hot and cold.
- Enable allow listing on wallets and accounts where possible.
Keeping Your Tools and Devices Up to Date
Keep your browsers, devices, and OS as up to date as possible
Ensure you are using the latest versions of all tools, third party libraries, and integration points.
Smart Contract Security Tips
- Don’t skip on security audits.
- Fresh eyes are always helpful. Enlist help from others outside your project to complete a review.
- Be careful/mindful of extra functionality, while this can be popular on platforms like Ethereum, the extra functionality usually has a security trade-off.
- Follow best practices for protocols that support complex, multi-functional smart contracts.
- Utilize automatic validation tools where you can for additional security validation.
- Your choice of programming language matters. If possible, choose a language that has security in mind. Many languages will provide immense ability to create complex and highly functional contracts, but this opens up more opportunities for mistakes. Simpler languages make development easier and less susceptible to mistakes.
- Follow best practices for smart contract development specific to your blockchain network.
- Utilize network-specific frameworks for each blockchain
- Testing is crucial from unit tests for contract functionality and utilizing blockchain test networks before production release.
- Bug bounties are a great way to speed up the security review process and have outside parties vet your smart contract.
- Use additional testing tools specific to your blockchain network; formal verification, symbolic execution, linters, and test coverage analyzers are a few types of tools.
- Review and verify all third party applications, integrations, and libraries for your projects at both the smart contract/application layer and for your community. While third party libraries, tools, and applications are great, they can open up a wide door of vulnerabilities.
- It is common to use third party devs/contractors for smart contract builds. Vet these teams diligently!
- Implementing community guidelines can help keep your users safe. Here, you can list verified communication channels, communication usage guidelines, participating guidelines, verified links, and additional resources such as tips and help.
What to Do If You Think You Have Been Compromised
No one wants to think about the worst case scenario but having a plan in case something goes wrong will help protect your community and their assets. Here are some things you can do if you think you have been compromised:
1. Have a plan! Know what you will do and who you will call if something happens.
2. Have a security expert on your team or a friend who can help guide you through your response. You will likely be stressed, and they can help.
3. Change your passwords and 2FA right away.
4. Notify your community as soon as possible so they do not click on any malicious links or respond to any fake messages potentially containing malware.
5. If the password that has been compromised is being used on other accounts, change those immediately as well.
6. Check wallets for suspicious transactions.
7. Disconnect any wallets from sites where applicable.
8. Transfer any funds or NFTs to a new wallet as soon as possible.
9. Change your wallet passwords and any 2FA immediately.
10. Check devices for any malware that could have been installed.
11. Deploy spending limits and smart contract approvals where you can to avoid large losses.
12. Enable allow listing to a safe address in the event the attacker attempts any transfers.
NFTs provide opportunities for investment, brand collaboration, digital art collection, and enhancing the creator economy. Like any other asset, NFTs can also be exploited through a number of vulnerabilities. Whether the flaws are in the smart contract, marketplace, or social media accounts it is important that those building NFT projects understand the risks and how to mitigate them to protect communities. Security audits and using security best practices across an NFT project are essential to protecting these valuable assets.
Subscribe to our newsletter for more articles and guides. Feel free to reach out to us via Twitter if you have any feedback. You can always chat with us on our Discord community server, featuring some of the coolest developers you'll ever meet :)