Can NFTs Be Malicious? | Revealing The Truth

Blockchain Security + How to + blog + Education + Smart contract Z. Oualid today

share close

NFTs are digital tokens that represent unique and scarce assets on the blockchain. They have become a popular way to create, buy, and sell digital art, collectibles, music, and more. But, can NFTs be malicious?

NFTs could be malicious. Even if NFTs are pieces of art, they both remain connected to a smart contract and could contain malicious code that could hurt your device.

NFTs are non-fungible tokens that can represent digital assets with unique and verifiable properties on the blockchain. They have emerged as a novel way to create and exchange value in various domains such as art, gaming, and music. However, NFTs also pose significant security and privacy challenges that must be addressed. In this blog post, I will reveal some of the dangers and pitfalls of NFTs and how you can stay safe and smart in the NFT space. Don’t miss this!

What is an NFT and how it works?

NFTs are cryptographic tokens that represent ownership or proof of authenticity of a specific digital asset. Unlike cryptocurrencies such as Bitcoin or Ethereum, which are fungible and interchangeable, NFTs are indivisible and carry distinct properties. Each NFT is unique, and its value lies in its distinctiveness and scarcity.

NFTs are primarily created and managed on blockchain networks, with Ethereum being the most prominent platform. Blockchain technology provides transparency, immutability, and decentralization, making it an ideal foundation for NFTs. Artists and creators can mint NFTs by associating a digital asset, such as artwork, music, videos, or even virtual real estate, with a unique token. This process, known as tokenization, involves recording ownership and transaction details on the blockchain.

One of the key elements underlying NFTs is the use of smart contracts, self-executing contracts with predefined rules and conditions. Smart contracts enable the automation of various aspects, including royalty payments to creators and artists, allowing them to earn royalties whenever their NFTs are resold. Furthermore, NFTs can be programmed with additional functionalities, such as unlockable content or interactive features, enhancing their value and engagement.

The immutability and transparency of blockchain technology play a crucial role in establishing the authenticity and ownership of NFTs. Each NFT carries a unique identifier, which can be verified by anyone on the blockchain. This verification process ensures the integrity and provenance of the digital asset associated with the NFT, mitigating concerns of counterfeiting and fraud.

NFTs can be bought, sold, and traded on various online platforms and marketplaces, providing a thriving ecosystem for creators and collectors. These marketplaces serve as venues for artists to showcase and monetize their creations, while collectors can acquire unique digital assets and build their collections. The secondary market for NFTs enables the resale and trading of previously minted tokens, with each transaction recorded on the blockchain, ensuring transparent ownership history.

How can you check if an image is an NFT?

To check if an image is actually an NFT or just a simple image shared on the web without any value you can do the following things:

Metadata Examination

The first step in verifying the authenticity of an NFT image involves examining its metadata. NFTs store essential information such as the creator’s name, creation date, description, and any additional attributes specific to the artwork. By scrutinizing the metadata associated with the image, one can gain insights into its origin and legitimacy. This information can typically be accessed through NFT marketplaces or blockchain explorers.

Here is a reel example of such a technique:

If you are buying an NFT from Opensea for example, you can find those metadata information in the Details section, like the following:

The most important elements to check the NFT in this table are:

  1. Contract address
  2. Token ID
  3. The Blockchain name

You can use the contract address to verify if the one mentioned on the project website is the one mentioned here. Then you can call the function, tokenURI(uint256 tokenId) in that contract to check if the token exists and has a valid URI.

Once you get the URI, you can simply navigate to it as follows:

If for any reason you find that the NFT URI point to a web server then, this is just an image that could be removed at any moment, even if the ID is correct and the contract is legitimate, putting the NFT art into a centralized server make the NFT image in the risk of getting deleted at any moment.

Blockchain Verification

NFTs are predominantly built on blockchain networks, leveraging their transparency and immutability. Blockchain verification is a reliable method to check the authenticity of an NFT image. By examining the transaction history associated with the NFT’s smart contract address on reputable blockchains like Ethereum, one can trace the ownership and validate the image’s authenticity. Reputable NFT marketplaces often provide links to blockchain transactions for easy verification.

Cross-referencing NFT Marketplaces

Cross-referencing NFT marketplaces is another effective way to verify the authenticity of an NFT image. Reputable platforms like OpenSea, Rarible, or SuperRare curate collections of genuine NFTs. By searching for the image or associated metadata on these platforms, one can confirm if the claimed NFT is listed and authenticated by recognized marketplaces. Be cautious of listings on lesser-known or unverified marketplaces, as they may lack credibility.

Image Hashing Techniques

Image hashing techniques offer an additional layer of verification for NFT images. Image hashing algorithms generate unique fingerprint-like hash values based on the content of an image. By comparing the hash value of the image in question with known NFT hash values, one can determine if the image is a real NFT. Popular image hashing algorithms include Perceptual Hashing (pHash), Difference Hashing (dHash), and Average Hashing (aHash).

Reverse Image Search

Reverse image search engines can be a valuable tool in verifying the authenticity of an NFT image. By uploading the image to these search engines, they scan the internet for similar or identical images. If the image is associated with a known NFT or has been linked to reputable NFT marketplaces, it provides evidence of its authenticity. While not foolproof, reverse image search can provide valuable insights into the legitimacy of the image.

Some of the previously listed checking techniques could be efficient and others may not. However, combining all those techniques will certainly reduce the risk of becoming a victim of a malicious NFT.

How NFTs could be used to hack your device?

It’s important to note that NFTs themselves do not have the inherent capability to directly hack your device. NFTs are digital assets that reside on a blockchain, and their purpose is to establish ownership and uniqueness of digital items such as artwork, music, or collectibles.

However, images can hold either malicious links in their URI or their Description. By clicking on the NFT link, you might be redirected to a dangerous website that holds malicious code. If for any reason, your browser was vulnerable and didn’t get patched before, then the malicious website might be able to hack your device. Moreover, NFTs can be distributed as files, such as videos or any kind of files. Like any other file, there is a possibility that a malicious NFT file could contain malware or be part of a larger cyber attack. Opening or downloading such files could potentially compromise the security of your device.

How NFTs could be used to hack your wallet funds?

While NFTs themselves do not have direct capabilities to hack your wallet funds, it is important to be aware of potential security risks that can arise in the context of interacting with NFTs and related platforms. Here are a few considerations:

  • Phishing Attacks: Attackers may attempt to deceive users through phishing emails or messages that mimic legitimate NFT marketplaces or wallets. They may trick users into providing their wallet credentials or private keys, allowing the attackers to gain unauthorized access to the wallet and steal funds.
  • Fake NFT Listings: Scammers can create fraudulent NFT listings on fake marketplaces, enticing users to purchase NFTs with the intention of stealing their funds. It is crucial to ensure you are using reputable marketplaces and verify the authenticity of the NFT before making any transactions.
  • Exploiting Vulnerabilities: NFT marketplaces or wallet applications may have security vulnerabilities that can be exploited by attackers. This could potentially allow them to gain unauthorized access to your wallet or manipulate transactions to steal funds.
  • Malicious Code or Smart Contracts: NFTs can include smart contracts, which are code executed on the blockchain. If a malicious actor gains control over a smart contract associated with an NFT, they may introduce code that allows them to exploit vulnerabilities or siphon funds from connected wallets.

How to avoid malicious NFTs?

To protect yourself and your device when dealing with NFTs, consider the following security measures:

  • Stick to reputable NFT marketplaces and platforms with a strong track record of security.
  • Be cautious when clicking on links or downloading files related to NFTs, especially from untrusted sources.
  • Keep your devices and software up to date with the latest security patches.
  • Use robust, unique passwords for your NFT-related accounts and enable two-factor authentication when available.
  • Be mindful of the permissions you grant to NFT-related applications and wallets, and review privacy settings regularly.
  • Stay informed about potential security threats and best practices for protecting your digital assets.
  • NFT projects could also be connected to upgradable smart contracts, and to be honest, try to avoid those kinds of projects because their source code might change in the future leading to stealing your NFT.
  • If possible run a smart contract audit again the NFT contract to see if there are any possible frauds or if there is a central user with so many privileges

If you want more details about this subject I highly encourage you to take a look at the following blog post that I have written in the past few weeks:

Performing or at least asking for a smart contract auditor’s opinion about a smart contract or NFT project legitimate is a must. Some NFT projects are simply designed to steal your money once you connect your wallet with it. For more details check this blog post about honeypots in the context of smart contracts.

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *