NFT art reached a peak in 2021 and has become a crucial element of the web3 zeitgeist. It is now more critical than ever to ensure that the ecosystems that provide access to NFTs are secure and transparent. In this blog post, we'll discuss recent hacks in the NFT space, risks to NFT communities and smart contracts, and security best practices for NFT projects. We'll also touch on the importance of NFT smart contract audits and how they are fundamental in keeping the NFT ecosystem secure and transparent.
Before getting into NFT security, it is essential to have a clear understanding of the basics. NFT smart contracts can store, receive, and transfer assets while defining their creation, ownership, and transfer rules. The two most popular forms of contracts are.
Recent Hacks
Multiple hacks and thefts have occurred on individuals and various NFT platforms, resulting in massive financial losses of millions of dollars. Here are some of the major incidents:
- Omni: In July 2022, 1.43 million was stolen through a flash loan reentrancy attack on the NFT finance platform.
- Moonbirds: Hackers stole $1.5 million and 29 Moonbirds' NFTs in May 2022 through a malicious link.
- OpenSea: $3.4 million was stolen in February 2022; attackers used phishing to steal the NFTs.
- Bored Ape Yacht Club: In 2022, $13.7 million in NFTs in NFTs were stolen from users who linked their Ethereum wallet to a fake Bored Ape site following a hack of the club's Instagram.
- DragonSB Finance: $10 million was stolen in April 2022 due to hackers exploiting the vesting smart contract in the project.
Hackers utilize various strategies, including phishing and fake websites, to mislead users and steal NFTs. Fortunately, several victims had their stolen NFTs returned to them. Although these incidences are unfortunate, it is important to remember that the NFT market is still expanding, and security mechanisms are constantly improving to prevent similar occurrences. As users, we should exercise caution before signing any transactions.
Related Article: What is a Token Audit, and Why Should You Care About It?
Risks to NFT communities and smart contracts
NFTs have become highly valuable and visible in the crypto world, making them a prime target for hackers. "The Merge," a piece by Pak, was sold for a staggering $91 million and involved nearly 30,000 participants, highlighting their appeal.
Interestingly, NFT security is partially dependent on the blockchain, and previous attacks have resulted from stolen passwords, inadequate security measures, and phishing attempts. Weak security protections in NFT smart contracts and social engineering strategies on social media platforms are frequent methods for bad actors to succeed in their attacks. Understanding the common NFT scamming tactics that target NFT communities is critical.
Security Risks in the NFT smart contract
Smart contracts face vulnerabilities hackers can exploit to steal tokens or cause harm. These flaws often stem from programming errors in languages like Solidity or Rust. The contract operates in a virtual environment where input is compiled into bytecode. An error in the code can lead to unexpected consequences. The safety of the contract depends on its implementation and validations in the code, making accuracy crucial for project safety.
Hackers manipulate users using the built-in feature like Bored Ape Yacht Club members were hacked via the SafeTransferFrom function. In this scenario, the attacker creates a fake website or hacks into the project's website to deceive users into clicking the "mint" button. The users think this button is part of the minting process and approve a SafeTransferFrom call. This approval grants the contract permission to transfer an NFT from the target wallet. Boom, you lost your NFT.
However, a single contract error may bring down the entire app or even third-party services that rely on it. The most prevalent problems are:
Developers need to ensure the safety of funds and the success of a project through smart contract audits. This involves establishing a review process to detect and resolve vulnerabilities. It's essential to test comprehensively, especially when working with multiple contracts. Using established libraries and frameworks can help avoid issues with custom code. Expert code review through auditing is essential for identifying vulnerabilities and building community confidence in smart contract projects.
Security Risks in the NFT Community
Marketplace Risks: NFT marketplaces can be vulnerable to security exploits, leading to unauthorized access or fund theft.
Rug Pulls: This situation arises when the creators of a token project aggressively promote it to achieve rapid growth but then withdraw their funds once they reach a predetermined expected value.
Social Engineering: Attackers steal NFTs and cryptocurrency assets through malicious links sent through email, Telegram, Twitter, Discord, and Airdrops.
Private Key Hacks: Cryptocurrency private keys can be compromised, leading to theft of funds by hackers.
Security best practices for NFT projects
It is critical for a community manager or smart contract developer working on an NFT project to emphasize security by adhering to best practices. Stay informed about the digital environments you regularly engage with and remain vigilant to avoid scams. Scammers often target popular crypto platforms and communication channels like Twitter, Discord, Telegram, Metamask, and OpenSea to carry out fraudulent activities and take over accounts. Phishing campaigns are typically conducted through email, so it is crucial to be cautious and never disclose seed or recovery phrases or private keys to official support accounts, as they would never ask for such sensitive information. By implementing these measures, you can bolster the security of your NFT project and safeguard it against potential threats.
Passwords & 2FA Protection
Protect your accounts with unique passwords generated by a password manager. Avoid storing passwords in web browsers and use 2FA on every account, especially if you're an admin. Choose app-based 2FA over SMS/email authentication, and always verify the sender's email before sharing information.
Wallet Security
To ensure the security of your wallets related to a project, safeguarding your seed or recovery phrase is vital. Keep it offline and create multiple copies. Divide the phrase into two parts and store them in different locations. Consider using a secure hardware wallet and maintain a balance between hot and cold funds.
Smart Contract Security Tips
- Conduct security audits and seek unbiased reviews from individuals outside your project to ensure the safety and integrity of your NFT project.
- Exercise caution when introducing extra functionality and adhere to best practices for complex, multi-functional smart contracts.
- Opt for programming languages designed with security in mind to reduce the likelihood of errors.
- Conduct thorough unit tests for contract functionality and utilize blockchain test networks before releasing your project into production.
- Offer bug bounties to incentivize external parties to scrutinize your smart contract further and use testing tools specific to your blockchain network to uncover vulnerabilities.
- Review and verify all third-party applications, integrations, and libraries to prevent potential security breaches.
- Implement community guidelines to foster a secure user environment and ensure a positive experience with your NFT project.
Importance of smart contract audits
NFTs are a prime target for hackers due to their ability to trick users into giving access to their wallets and signing malicious transactions. Additionally, malicious actors may digitize valuable artworks without permission and sell them without legal rights. Unfortunately, the industry is largely unregulated, enabling these bad actors to operate unchecked. To prevent such manipulations, NFT projects should undergo a smart contract audit, which identifies any code features that may lead to a loss of assets or damage to reputation. Auditors test the code against various attacks, including denial of service attacks, gas limit issues, and logic flaws. Users can reduce potential risks by using reputable NFT marketplaces and secure wallets, staying vigilant of scams, and double-checking the authenticity of any offers before sending funds or NFTs. Multi-factor authentication and checking the details of every transaction are also recommended. When choosing an auditor, consider their expertise, reputation, and past customers. Public NFT audit reports can be viewed on Hacken's website, and CER.live, CoinGecko, and CoinMarketCap recognize every audit report.
Final thoughts
In conclusion, it is crucial to address security risks in NFT smart contracts and conduct regular audits to ensure the integrity of the NFT market. The recent hacks in the NFT ecosystem highlight the need for a security-first mindset and caution against minimizing gas fees or acquiring NFTs cheaply at the expense of security. Marketplaces can play a significant role in preventing such incidents by auditing NFT smart contracts regularly. Doing so can identify and mitigate potential vulnerabilities, protecting users' assets. It is essential to prioritize the security of NFTs to ensure the long-term sustainability and growth of the market.
Protecting your Smart Contracts is essential for growth and user trust. Book a free 30 min. consultation with us to explore advanced protection options tailored to your project.