How safe is your digital asset? Smart contract vulnerabilities in NFTs
Explore smart contract vulnerabilities in non-fungible tokens (NFTs) and learn how you can better protect your digital assets.
Are you aware of the potential security pitfalls lurking within NFTs? This article aims to shed light on some common smart contract vulnerabilities, often resulting in significant losses within the blockchain ecosystem.
We will explore some effective methods to detect and mitigate these potential security threats in the NFT landscape.
Identifying and understanding smart contract vulnerabilities
Smart contracts form the backbone of NFTs, managing the creation, ownership, identification, and exchange of unique, irreplaceable digital assets, all without the need for a central authority.
However, these contracts, revolutionary as they might be, have weaknesses. NFT security issues can lead to a variety of unintended consequences, from asset theft to unintentional listings, as they are often targeted by code exploits rather than the NFTs themselves.
Smart contract vulnerabilities are usually rooted in high-level code languages like Solidity, Vyper, or Rust. A single error in your Solidity code can give rise to many NFT vulnerabilities.
Moreover, the problem can be compounded when contracts interact with each other, with a single smart contract vulnerability potentially crashing the entire application or even third parties that rely on it.
Commonly encountered issues:
Reentrancy: This attack occurs when multiple transactions are rapidly sent to a smart contract, leading to potential errors being exploited by hackers.
Denial of Service (DOS): DOS attacks often involve making a function inexecutable by creating an infinite loop or exploiting Ethereum’s gas limit.
Arithmetic overflows and underflows: These errors are related to data processing within the contract and can often lead to significant NFT security issues.
Default visibilities: In Ethereum smart contracts, the default visibility of functions is public, leaving room for potential exploitation by malicious actors.
Entropy illusion: This smart contract vulnerability arises when developers wrongly assume that the blockhash function can provide random numbers, leading to manipulated outcomes.
Tx.Origin authentication: Using the tx.origin command for authentication can lead to phishing attacks, thereby compromising the smart contract.
Race conditions: These occur when a function’s outcome depends on the order of transactions, leaving room for potential exploitation.
Case studies
These NFT vulnerabilities have been exploited in multiple real-world instances, leading to substantial losses. Some examples include the following:
NFT Trader contract compromise: On Dec. 16, 2023, trading site NFT Trader experienced an exploit of two of its older contracts, resulting in the theft of various valuable NFTs, including Bored Apes, Art Blocks, World of Women, and VeeFriends.
The vulnerability in NFT Trader’s contracts was identified by delegate.cash founder 0xfoobar, who urged users of the platform to revoke any permissions associated with compromised contracts immediately.
Security flaw in common smart contracts library: Towards the tail end of 2023, Thirdweb, a firm specializing in web3 technologies, discovered a major smart contract security flaw in a commonly used open-source library.
This vulnerability reportedly affected pre-built smart contracts such as DropERC20, ERC721, ERC1155, and AirDrop20, potentially putting multiple NFT collections at risk.
Upon discovery, Thirdweb initiated an investigation with its audit partners. Fortunately, they found that this vulnerability had not been exploited in any of their smart contracts.
As part of the resolution, the company addressed the issue, presumably by patching the NFT vulnerability in the library and updating the affected smart contracts to use the updated library.
AllianceBlock token manipulation: In February 2023, ALBT, AllianceBlock’s native token, fell victim to an Oracle hack that resulted in significant price manipulation.
The incident happened when an exploiter tampered with an oracle in a smart contract, allowing them to manipulate ALBT’s prices and generate substantial quantities of the Bonq Euro (BEUR) stablecoin. This exploitation led to a massive loss estimated to be around $120 million.
According to reports, hackers siphoned off roughly $5 million worth of ALBT tokens on the Bonq decentralized borrowing protocol. In another instance, hackers compromised the protocols’ smart contract and manipulated AllianceBlock tokens, draining about $88 million of crypto out of the system.
The exploit also significantly impacted ALBT’s value, which plunged by 51% immediately following the incident and more than 65% in the next few days.
Omni reentrancy (July 2022): In July 2022, Omni, a platform that operates as an NFT money market, suffered a significant breach due to a reentrancy vulnerability in its Ethereum contracts, resulting in the loss of $1.4 million.
A security analysis of the hack revealed that the attacker was able to drain 1,300 ETH from the platform’s testing funds.
Although Omni was quick to point out that no users’ funds were affected in the incident, the event raised serious questions about the security of blockchain platforms and the measures they need to take to protect against such attacks.
LooksRare DDoS attack (January 2022): Within mere hours of its launch on Jan. 11, 2022, the LooksRare platform fell prey to a Distributed Denial of Service attack, rendering the site unreachable.
Many users reported challenges in linking their digital wallets and encountered difficulties when attempting to list their NFTs. The LooksRare team acted swiftly to restore the website’s functionality, albeit with the issue concerning wallet connectivity remaining unresolved for a while longer.
In each of the cases above, the common denominator was the exploitation of smart contract vulnerabilities that ranged from coding errors to design flaws. It highlights the importance of a comprehensive audit of NFT security issues prior to deploying any smart contract.