NFT Security Audit – Do You Need One?

Published on June 20th, 2022

By


With technological advancement comes the responsibility and commitment to use technology solely for the good of humanity. However, there are certain group of people whose only purpose is to find and exploit loopholes in every nascent technologies for their personal gain.

As a new technology gains popularity and mass adoption such as blockchain, metaverse or NFT, it attracts scammers and hackers who enjoy exploiting it for personal benefit. As a result, securing the new technological platform becomes as critical as the platform itself.

In fact, a new technology is trusted and adopted only after it is completely secure.

NFT (Non-fungible Tokens) are the latest technology that everyone is talking about. Companies are attempting to capitalise on the opportunities it provides in terms of facilitating the sale of digital art works. These NFT art works are unique and cannot be copied.

How Secure are NFTs?

When a customer buys an NFT from any crypto commerce platform, they’re effectively buying an identification token stored in a file on blockchain referencing the actual product, stored anywhere. NFT purchased just stores the URL to the metadata that holds real information about the image/gif or actual asset.

NFT Metadata: JSON file

The NFT metadata is a JSON file that holds information such as the image’s name, actual image/gif, description of the asset, and any other additional attributes.

The company minting the NFTs maintains and secures that data file containing the identifier to the NFT objects along with the private keys.

In case the NFT platform experiences a technical breakdown or is compromised by hackers, users may lose their token identification. This results in losing their digital assets. As a result, it is critical to conduct a security audit of the system regularly to plug any vulnerabilities before it is exploited.

OpenSea, one of the most popular NFT marketplaces, was hacked, forcing its users to lose approximately $1.7 million of NFTs. So there exists NFT security issues, and yes, NFTs can be hacked and stolen by hackers too.

The hackers essentially exploited a flaw in the Wyvern Protocol, the fundamental protocol in the majority of NFT smart contracts utilised specifically for digital asset transactions.

Thus, any decentralised financial platform including crypto commerce sites, should be audited on a regular basis to safeguard and preserve the system integrity.

Types of Security Audit

Some of the different types of security audits done by the companies are:

  • Smart contract security audit
  • Blockchain code audit
  • Vulnerability management (It’s impact & severity)
  • Whitepaper verification

Following the completion of the security audit, a document is generated that contains the recommendations and proposals to secure the application. This helps to further improve the security of the NFT application.

NFT Security Audit Tools

Specialized tools are used to evaluate the many functional components of blockchain applications such as smart contracts, transactions, blocks, mining, wallets, and so on. Using the wrong tools can cause problems in the application.

Based on blockchain application architecture, some of the tools used for blockchain and NFT testing are:

Besides using tools, our blockchain auditors and testers put on a detective hat and manually scan lines of code for possible bugs and programming errors. Manually auditing exposes vulnerabilities that have gone undetected during automated testing such as poor encryption techniques.

As a NFT application development company, our team often does testing in the following areas:

  • IPFS dApp hijacking
  • Insecure Content Security Policy (CSP) and HTTP headers
  • Window opener hijacking (Tabnabbing)
  • Location host spoofing
  • Unreachable code
  • Improper Access control in Staking
  • Redundant checks during deposit in Bond
  • Exploiting weakness in complier
  • gas limit issues etc

We’d love to go into more detail on each of these areas in a separate article, but we thought we’d include them here for completeness.

Why NFT Security Audit is Important?

As previously stated, when a platform grows in popularity, it draws a large number of fraudsters and hackers looking to abuse it and make quick money. Same is the case with the NFT marketplaces.

The real threat comes not only from hackers and phishing professionals, but also from fraudsters. A scammer pose as regular users and enter into a fraudulent transactions to steal users’ assets and NFT tokens. In fact, many genuine users have been duped into purchasing bogus NFT tokens.

As NFTs are smart contracts and as they are irreversible, organisations fret about deploying them without security audit. They are only implemented after a thorough audit and the resolution of any code problems. They risk losing the contract and its accompanying assets if they do not.

Thus, in addition to safeguarding the NFT platform, the capability to authenticate users should be part of the diligence policy to reduce any false transactions.

Furthermore, because the NFT keeps the metadata information off-chain, the server (cloud servers like AWS etc) where the metadata is stored should be protected and made hacker proof to prevent data theft.

The reason the matadata is not stored in the blockchain is due to the high cost of storing data. For instance storing 1MB of data on the Ethereum blockchain costs $17,000 USD.

So popularity of a technology presents a wonderful case where technology saviours and technology exploiters try to win; who wins depends on whose side discovers the flaw first.

We’d love to learn how you safeguarded your blockchain apps or NFT marketplace, as well as the tools and techniques you used.

NFT Security Audit – Do You Need One? was last modified: June 20th, 2022 by WebNet Creatives

Comments are closed.