NFT security: Can they be hacked?
02/05/2022
A very important topic that we felt had to be covered is whether NFT hacking is possible.
And the long and short of it is that yes, they can.
But as you can probably imagine, it’s a little more complicated than that. If you’re either already an owner and/or creator of NFTs or would like to get in the game, it’s important to recognise how NFT hacks can happen and the security and vulnerability concerns that exist.
This will help you understand how to properly protect yourself from the worst happening – going to check out your collection and discovering you’ve been completely cleaned out!
In this article, we’ll go through the major vulnerabilities for NFTs and provide you with an example of perhaps the most notable NFT hack that’s happened so far. You’ll also learn some expert tips on safeguarding your collection from the nefarious characters out there.
Vulnerabilities and NFT hacking concerns
With a market that continues to grow every single day, being able to recognise the security concerns that exist and exploitable vulnerabilities that lead to NFT hacking. These include:
Loss of access
As you’re most likely aware, the NFT itself isn’t actually stored on the blockchain. This is simply due to storage limitations. Instead, the blockchain stores an identifier; either the web address or image hash of the asset.
Interplanetary file system (IPFS) can be a great method to store and address NFT data, and may very well be where the identifier leads to. In which case, the company where you bought the NFT will be the one running the IPFS node. So if that company ends up going out of business for whatever reason, you may end up completely losing access to IPFS and, therefore, your NFT.
Marketplace security issues
There are plenty of centralised platforms that exist for people to buy, sell, trade and mint NFTs such as OpenSea, Rarible and Foundation.
Because these various platforms store private keys which are linked to each of the NFTs that are on the platform, this of course means that should there be any compromise to the platform’s security, the NFTs are at risk.
A compromise may be due to a lack of security measures by the marketplace itself such as a lack of two-factor authentication, or because of a particular user from a poorly-chosen/weak password choice, forgetting to log out of an account on a public computer or something else.
Risks in smart contracts
A smart contract is effectively a digital tool that acts as the agent to complete a sale between an NFT’s owner and a buyer. You can think of it kind of like a vending machine.
Vulnerabilities in smart contracts’ security, therefore, enables NFT hacks by allowing hackers to make revisions to the transaction process that benefits them directly.
One famous example of smart contract exploitation was with CryptoPunks; in 2017 a bug was quickly discovered that blocked Ethereum (ETH) from actually depositing into a seller’s crypto wallet. Which meant that the attackers could buy CryptoPunk NFTs for the lowly sum of $0, causing the entire project to be re-launched with a refreshed smart contract.
Cyber security
One of the most effective methods of exploiting cyber security across the board remains phishing – sending out scam communications to a wide user base.
These communications, most commonly emails and SMS, will be framed as originating from an official source and either include a malicious attachment or a link they want the user to click on in order to capture their credentials.
Once this has been successfully done, hackers can then log into users’ crypto wallets and take them over easily.
The OpenSea NFT hack
Arguably the most notable of all NFT hacks occurred just earlier this year on the hugely popular OpenSea marketplace.
Hackers sent out a phishing email to a large number of OpenSea users, which included a link that the email said would migrate their listings to an updated smart contract system. However, when users clicked the link they were actually giving the hackers the power to transfer the ownership of any assets within the users’ ETH wallets to them.
Clicking the link meant the victims had unwittingly signed part of a contract which provided a general authorisation. Once the hackers had this, they completed the contract themselves and submitted it, transferring NFT ownership without any payment.
Throughout the OpenSea NFT hack, there were a total of 254 NFTs stolen within about three hours, impacting 17 different users to a total estimated sum of roughly USD$1.7 million in total.
How you can protect your NFTs from getting hacked
It’s not all doom and gloom security-wise with NFT’s though. As long as you remain vigilant and follow the following tips on how to keep your NFTs hack-proof you should be fine.
1. Create a strong password
Don’t go with something like ‘password’ or ‘hunter2’. NFT hacking pros can often find out at least some basic information about people, which means you shouldn’t use your significant other, child or pet’s name either.
Use a combination of capital letters, numbers and symbols that make sense to you – because you want to be able to remember it yourself.
2. Enable MFA
Multi-factor authentication is a great way to increase the barriers to your NFTs getting hacked. Because even if a hacker is able to get past the first authentication, they’ve still got at least one ahead of them to get past.
Opt for at least two-factor authentication, and where possible go for MFA.
3. Keep your seed phrase safe
If you end up forgetting or losing your password, your seed phrase is the only thing that will give you access. And if you forget that, well… you’re never going to access the crypto wallet again.
Which means you’ll more than likely want to write it down somewhere. And once you’ve done that, put it somewhere nobody else knows about. Don’t ever, ever give it out to anyone – not even if your crypto wallet company requests it.
4. Don’t take the phishing bait
You’re probably thinking you’ll never fall for any phishing attempts. But tell that to the many thousands of people that do every year. Always be wary of emails that don’t look quite right and/or have very obvious spelling errors in them.
And if you’re questioning whether it’s actually from the source it claims to be, contact them by phone and ask them directly whether they sent it or not. Oh, and by the way, Google the number – don’t call the one stated in the suspected scam email!
5. Stay informed
Staying up to date with the latest scams and potential vulnerability issues is one of the best ways you can keep your collection safe from NFT hacking attacks.
Talk to Mooning for more information about NFT security
Interested in learning more about NFT hacking and what else you can do to stay fully secure? Have a chat with the team at Mooning today by calling us on 1300 818 435.
We’re also here to help you with everything from NFT campaign conceptualisation and community management as well as minting, listing and selling plus much more.
You can see us as your one stop NFT shop! So get in touch with us today.