Is an NFT hackable? | Unmasking the Threat

Blockchain Security + blog + Smart contract Z. Oualid today

share close

In recent years, the rise of NFTs (non-fungible tokens) has been nothing short of meteoric. With eye-popping sales of digital artwork and other collectibles, NFTs have captured the attention of investors, collectors, and creators alike. However, with any new technology comes questions about its security and reliability. So is an NFT hackable?

NFTs are hackable. Like any application made by humans, NFTs could be hacked if they are managed by vulnerable smart contracts.

To better understand why NFTs are hackable you should first understand even just globally how NFTs work and what kind of threats they have. Then you will be able to understand the kind of attacks that can be performed against NFTs, and the techniques used by either customers or creators to protect their NFTs. So if you are interested in learning more about all those stuff, then just keep reading.

How do NFTs work in simple words?

In simple words, NFTs are pieces of art or “images” stored in a distributed storage worldwide and managed by a specific smart contract running on the Blockchain. In other words, it represents a unique id number stored in a variable in the smart contract.

Smart contracts are simply a type of application that runs forever on the Blockchain once they are deployed without the ability to stop it for whatever reason. In addition, those smart contract codes cannot be changed or deleted.

Essentially, an NFT is a digital certificate of ownership for a specific item, like a one-of-a-kind piece of art. When someone buys an NFT, they gain ownership of the digital item, but not necessarily any copyright or usage rights associated with it.

The blockchain technology used to create NFTs ensures that they are truly unique and cannot be duplicated or tampered with. This makes NFTs valuable to collectors and investors, who can prove ownership and authenticity of the digital asset.

NFTs are bought and sold using cryptocurrency, typically Ethereum, and the transactions are recorded on the blockchain, providing a public ledger of ownership and transfer history.

What makes NFTs hackable?

As I said in the first section of this blog post, the ownership of NFTs is managed and proved by smart contracts running on the Blockchain. Those smart contracts are programs built and deployed by humans and humans make mistakes. Smart contract applications could have vulnerabilities that lead to NFTs hack.

However, smart contract vulnerabilities are not the only thing that makes NFTs hackable. Many other web2 usual techniques could also be used to hack NFTs. For example, social engineering could be used by attackers to trick users to send malicious transactions to give NFT ownership to attackers. This technique will be discussed in detail in the next sections.

Moreover, A digital wallet, also known as a cryptocurrency wallet or blockchain wallet, is a software program that allows users to securely store and manage their cryptocurrency and NFTs. Digital wallets use public and private keys to authenticate transactions and protect the user’s assets.

When someone purchases an NFT, it is transferred to their digital wallet, which stores it on the blockchain network. The wallet provides the user with a record of their NFT ownership and allows them to transfer, sell, or trade the NFT as desired. Therefore, zero-day vulnerabilities in a wallet could lead to NFTs hack.

Recent NFT Hackings

In recent months, there have been several high-profile NFT hacking cases. Here are a few illustrations:

Bored Ape Yacht Club: A gang of hackers broke into the Bored Ape Yacht Club website in November 2021 and used a flaw to steal 20 Bored Ape NFTs valued at about $2.6 million. The website’s security safeguards were gotten around by the hackers, who then had access to the NFT owners’ private keys.

Poly Network: In August 2021, a cyberattack on the decentralized financial platform Poly Network led to the loss of Bitcoin and NFTs valued at over $600 million. The stolen money was transferred to numerous wallets by the hackers by taking advantage of a flaw in the platform’s smart contracts.

Lympo: $18.7 million stolen: A hot wallet breach cost Lympo, a sports-focused NFT and Animoca Brands subsidiary, 165.2 million LMT tokens. This was comparable to $18.7 million at the time of the incident (January 2022) and impacted 10 wallets.

Farmers World: $15.7 million stolen: In November 2021, a theft from the WAX chain’s cryptocurrency game caused losses of more than 100 million yuan ($15.7m). However, others claim that the amount could have exceeded 300 million yuan.

DragonSB Finance: An NFT gaming startup called DragonSB Finance had $10 million stolen after hackers attacked its vesting smart contract in April 2022.

OpenSea: Attackers took advantage of OpenSea users during a phishing event in February 2022 to steal NFTs valued at approximately 1,200 ETH, or over $3.4 million at the time. For other victims, it turned out to be a stroke of luck because the hacker did return some of the unsold NFTs.

TopGoal: 4.8 million TMT were transferred from the platform’s hot wallet to the hacker’s account during the TopGoal assault in February 2022. These tokens had a market value of a little over $2.2 million at the time.

The Shifters: Over $2 million was taken from consumers during the long-awaited release of The Shifters NFTs in March 2022 thanks to bogus websites and Discord messages.

Alethea AI: Fans of Alethea AI were taken advantage of for 840 ETH, which at the time (March 2022) was equivalent to almost $1.8 million, in a Discord compromise.

Moonbirds: 29 Moonbirds’ NFTs were taken in May 2022 employing a fraudulent link that hackers set up. These were believed to be worth 750 ETH ($1.5m).

Omni: In July 2022, a flash loan reentrancy attack on the Omni NFT financial platform resulted in the theft of 1,300 ETH ($1.43 million) by hackers. Users may earn tokens (like ETH) by staking NFTs on a variety of platforms thanks to Omni.

Many other hacks are happening every day, some are small hacks we don’t hear about, and others are big enough to spread terror in the Defi community. you can check the very latest hacks by visiting the following link.

Can Social Engineering Attacks be used to steal NFT?

Social engineering is a deceptive manipulation tactic employed by individuals or groups to exploit human psychology and manipulate people into divulging confidential information, granting unauthorized access, or performing actions that they would not otherwise do. Therefore, Social engineering attacks could be used against any system including NFT hacks.

How to reduce the risk of investing in a hackable NFT?

To reduce the risk of investing in a hackable NFT you could perform the following actions as good as you can:

Research the NFT Marketplace

Before making any investments, thoroughly research the NFT marketplace where the NFT is listed. Look for reputable and well-established platforms that have a strong track record of security and user protection. Read reviews, check the platform’s security measures, and ensure they have protocols in place to prevent hacking incidents.

Verify the NFT Project

Evaluate the credibility and reputation of the NFT project itself. Research the team behind the project, their experience, and their previous work. Look for projects that have transparent information about their development process, security audits, and community engagement. Ensure the project has taken steps to address potential security vulnerabilities.

Smart Contract Audit

Check if the NFT project has undergone a thorough smart contract audit by reputable cybersecurity firms. Smart contract audits help identify vulnerabilities or flaws in the code that hackers could exploit. Look for projects that have successfully passed independent audits and have taken steps to address any identified issues.

Check for Security Features

Look for NFTs that incorporate security features or mechanisms. These may include features like multi-factor authentication, secure storage of metadata or assets, and encryption. Projects that prioritize security and have implemented additional safeguards are generally safer investments.

Community and Feedback

Engage with the NFT community and seek feedback from experienced collectors or investors. Participate in forums, social media groups, or Discord channels related to NFTs and inquire about the project you are interested in. Gathering insights from others can provide valuable information about the project’s security, potential risks, and reputation.

Stay Informed

Stay updated with the latest news and developments in the NFT space, particularly related to security and hacking incidents. By being informed, you can quickly identify any emerging risks or vulnerabilities associated with specific projects or marketplaces, allowing you to make more informed investment decisions.

Diversify Your Investments

Spreading your investments across multiple NFT projects can help mitigate risks. Diversification reduces the impact of any potential security breaches or vulnerabilities in a single NFT investment. By diversifying, you minimize the chances of losing your entire investment in case of a hacking incident.

How to protect my NFTs from being hacked?

Protecting an NFT from being hacked is a very difficult task and should be performed by both the owner and the creator of the NFT. As a creator, try to follow the best practices in terms of secure coding while building your system. You can check the following blog post where I have explained in detail with code examples, some of the most destructive vulnerabilities in the space, with all the needed recommendations on how to fix or avoid them:

In addition, try to stay updated about the latest vulnerabilities that could have been detected in technologies used to build your NFT smart contract. Moreover, at the end of the development process, try to perform multiple layers of security audits to eliminate as many as possible vulnerabilities before going to production.

As an NFT collector, you have to do your best to secure your wallet and educate yourself about the latest techniques used by attackers to steal NFTs, either using Social engineering or any other possible technique. Using complex passwords makes life harder for attackers to gain access to your crypto assets.

In addition, making updates to your wallet apps whenever they are published is also required to avoid being exploited by any publicly known vulnerabilities. Moreover, if it is possible, try to use a hardware-based wallet to eliminate the risk of attacks when it is disconnected from the internet.

However, you should keep in mind that all the previously explained tasks that should be performed to secure the NFT asset will just make life harder for hackers to get access to your NFT, a 100% secure system does not exist.

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *