What NFT Marketplace Vulnerabilities and Security Concerns You Should Be Aware Of

With great popularity comes great concern. Take a look at traditional art — the more famous the artist is, the more likely it is that their work will become a target for thieves and forgers. Picasso, for example, ranks first in popularity among art thieves: more than 1,000 of his works have been stolen.

One of the most unimaginable thefts is the disappearance of a two-ton bronze sculpture by Henry Moore worth £3 million. The police solved the crime: it turned out that the sculpture was melted down and sold for no more than £1,500.

If a two-ton artwork and paintings by Picasso are no problem for cunning thieves, then what can be done to protect digital art, which could be stolen in a couple of mouse clicks?

As the saying goes, forewarned is forearmed. Read on to find out what the key vulnerabilities of NFTs are, how scammers typically operate, and what you can do to protect yourself, your marketplace, and your tokens.

Are NFTs secure?

Despite their uniqueness and tremendous boons, such as transparent transfer of ownership and creator royalties from token resales, NFTs do experience some security issues.

This trend is still in its infancy, but evil never sleeps: fraudsters and hackers see the impressive market growth and hype around NFTs and they have already found ways to steal tokens and money. Their methods are becoming more and more sophisticated.

For example, one of OpenSea’s security flaws has been successfully exploited by hackers. The hacker attack happened in January 2022 and resulted in the theft of about $1 million worth of NFTs. The hackers were able to buy at least 8 NFTs for much less than what was thought to be their “fair market value.”

Phishing is another cybercrime that is widespread in the NFT space and beyond. One of the latest phishing attacks happened in January 2022 when scammers tricked supporters of CryptoBatz — Ozzy Osbourne’s NFT project. Of course, a collection of 9,666 digital bats issued by a famous rock star attracted the public’s attention. Scammers took advantage of this opportunity.

They used an old URL of the project and created a fake Discord server. Since the old tweets from CryptoBatz and Ozzy himself contained the previous URL and were not deleted, they unintentionally directed users to a server taken over by scammers.

As a result, users clicked on a message asking them to verify their crypto assets. They were redirected to a phishing site, where they connected their crypto wallets and ended up losing money.

Selling fake works attributed to famous artists as non-fungible tokens is also a popular NFT scam.

Another problem that really gives artists a headache is converting real artworks to NFTs without the artist’s consent and putting them up for sale.

Those art thieves, of course, do not have the right to sell other artists’ works, but nothing stops them and such cases happen all over the place. Digital artists Corbin Rainbolt, RJ Palmer, Weird Undead, Derek Laufman, and many others have unfortunately faced this situation.

In this video, we analyze even more NFT scams and show you how to detect and avoid them using machine learning technology. Check it out!

What are the key NFT vulnerabilities?

It’s worth noting that the underlying blockchain technology has nothing to do with Discord phishing attacks and the blockchain cannot control whether a published work of art really belongs to an NFT issuer. At the same time, when developing and maintaining your own NFT marketplace, you need to be aware of all possible vulnerabilities.

So what are the main risks of NFTs? Let’s find out!

Smart contract vulnerabilities

Smart contracts are the main and most important feature of any blockchain. When it comes to NFTs, smart contracts help process transactions and manage the transfer of ownership.

If smart contracts are well programmed and have successfully passed an independent audit, it will be extremely difficult for attackers to tamper with them. On the other hand, if security vulnerabilities are unaddressed, smart contracts can be exploited to benefit hackers. NFT holders will lose their tokens and large sums of money, while the marketplace will probably have its reputation ruined forever.

In March 2021, the Meebits, a collection of 20,000 unique 3D voxel characters, experienced an exploit. The attacker, 0xNietzsche, created a contract that minted multiple tokens, but the attacker canceled the transactions if the minted NFT was not what they wanted. As a result, 0xNietzsche spent over $20,000 in gas fees and received and sold Meebit #16647 for over $700,000.

Marketplace and NFT security risks

Given that NFT marketplaces are based on blockchain technology, they are supposed to be decentralized. However, there is currently controversy around OpenSea, one of the largest NFT platforms.

In December 2021, an artist and NFT collector Todd Kramer reported that his NFT assets including Bored Apes were stolen. The tokens were worth about $2.2 million. In response to these actions OpenSea froze the stolen items and stopped all trading of them. This action called into question the decentralization of the platform and many users agreed that this contradicted the whole crypto philosophy.

Another problem is that some marketplaces are centralized, meaning that the events are recorded in an off-chain database managed by the NFT marketplace itself. Nifty is an example of such a marketplace. A centralized marketplace usually stores all the private keys of digital assets on their own platforms, so, if there is an attack, hackers can steal lots of tokens in a very short time.

Speaking of other types of protocol designs, there are also on-chain and hybrid ones. Axie,CryptoPunks, Foundation, and SuperRare are on-chain marketplaces and OpenSea and Rarible follow the hybrid model.

In addition to this, many users neglect additional security measures: they set up weak passwords, forget about two-factor authentication, and click on questionable links.

Cybersecurity issues and NFT fraud

Hackers often try to access users’ personal information through malicious emails. Those emails look like they come from legitimate sources such as Coinbase, for example. Fraudsters inform users that there has been suspicious activity on their accounts and they need to provide a login and password to verify their identity. The scammers then access users’ accounts on the NFT platform and can do whatever they want there.

One more scam is sending users malicious NFTs. For several weeks in the fall of 2021, Check Point researchers observed tweets in which people complained about losing their crypto when trying to receive gifted NFTs on the OpenSea marketplace.

The researchers studied the problem and found serious security vulnerabilities which allowed scammers to hack into accounts and steal crypto from digital wallets after a user clicked on a link to gifted NFTs on OpenSea. Luckily, as soon as Check Point reported the issue to the platform, OpenSea fixed the vulnerabilities.

Some scammers also organize NFT airdrops and ask users to transfer crypto only to cover transaction fees, but the requested amount is always much higher than it actually is.

Authentication process and current concerns

Traditional art has been used for money laundering for years. NFTs could make this process even easier. For the time being, NFTs can be anonymous, and you may not know who is behind the artist’s nickname and avatar. There are also no laws or regulations for NFTs. These facts make NFTs ideal for hiding illegally earned money.

NFT marketplaces, even the largest ones, are not required to comply with Anti-Money Laundering (AML) and Counter Terrorist and Proliferation Financing (CTF/PF) standards, and users don’t need to go through Know Your Customer (KYC) procedures. However, there is more and more discussion about the possibility that NFT platforms will soon have to adopt KYC, AML, and CTF/PF solutions.

Co-founder and CEO of the Mintable NFT marketplace Zach Burks shared his opinion regarding this issue:

“It’s always hard to predict upcoming regulation — but I do expect some form of regulation to be drafted and proposed within the coming year or two years.”

At the same time, he added that NFTs should be viewed as digital certificates of ownership, i.e. the purchase of a token should not require passing KYC or having to comply with AML.

It is worth noting that, despite concerns, there have been no reported cases of NFTs being used for money laundering (yet).

If you’re planning to build your own NFT marketplace and want to know if you really need one, how long the development process takes, and what it takes to keep it running, watch this video!

How to protect NFTs

In the NFT domain, both marketplaces and users have to take additional precautions to protect themselves, their tokens, and their money. Even if the marketplace is completely safe, a small mistake on the user’s side — like not setting up two-factor authentication or clicking on a malicious link — will allow scammers to drain users’ digital pockets.

Let’s find out what NFT projects and marketplaces can do to protect their users and themselves.

Step 1. Perform smart contracts audit

NFT smart contracts should be inspected for vulnerabilities. Before deploying the project, you need to turn to a smart contract audit company to assess the code, analyze the design and architecture of the smart contracts, and detect any flawed features or potential threats.

A professional audit ensures that your smart contracts are secure and the code is bug-free and works as it should.

Step 2. Adhere strictly to the decentralization principle

When a platform is centralized, all private keys are stored within the platform. This puts users’ private keys and digital assets at risk.

Ideally, the NFT market should not have access to private keys and should not violate the principle of decentralization. It is also recommended that the contract holding the NFT be accessed through a multi-signature.

Step 3. Instruct your users on the necessary security measures

Prevention is better than cure. Whether your users have just entered the NFT world or are already experienced players in this field, it is your responsibility to educate them about security measures.

Give your users basic security instructions on your platform, for example:

✔️ Enable two-factor authentication (2FA)

✔️ Create a strong password and store it offline

✔️ Use an NFT hardware wallet purchased only from official manufacturers

Hard wallets exist physically and are not connected to the Internet until the user plugs them into the computer. When using a hard NFT wallet, the user approves each transaction by tapping physical buttons. They are much more secure than hot wallets and protect users from losing their crypto and NFT assets. When buying one, make sure it is the latest firmware version.

In addition to this, remind your users that they should:

❌ Never share their secret recovery phrase with anyone, even their closest friends

❌ Never store their secret recovery phrase on any device

❌ Never share their screen when using their crypto wallet and the NFT marketplace

As a marketplace creator, you can also recommend NFT holders using Shamir’s Secret Sharing (SSS), which is a key distribution algorithm that allows you to protect a secret by dividing it into multiple parts and storing it in different locations.

Legal considerations to take into account

When designing your marketplace, it is necessary to take into account not only security vulnerabilities but also possible legal issues. Here is what you need to consider.

Company formation

To launch an NFT trading platform, you first need to create a legal entity to provide strong liability protection for business owners and safeguard your assets.

Platform terms of service

Since NFT marketplaces typically consist of user-generated content, there is a high chance that one user’s behavior may negatively influence another user.

To protect both your company and your users, it is important to design your terms of service carefully. It is a governing legal contract between your marketplace and your users, i.e. NFT artists, supporters, buyers, and holders.

Terms of service will protect the company from various legal issues. Typically, the document will include a disclaimer of any warranties regarding users, limitations of the company’s general liability, etc.

Intellectual property protection

Fake NFT assets are all over the place. As the creator of an NFT marketplace, you must ensure that your platform is capable of verifying and protecting the intellectual property rights of every participant: creators, buyers, and other parties involved.

Copyright usually belongs to the creator of the original artwork. If an NFT is created and sold, the buyer will also receive a set of intellectual property rights from the creator.

When tokenizing an artwork, it is also necessary to take into account ancillary parties such as studios, record companies, producers, and so on.

Data privacy

Developing a privacy policy and publishing it is necessary not only to comply with legal requirements but also to build trust among your NFT community. If your privacy policy is well drafted, you will gain trust and present yourself as a mature company.

A poorly written and controversial privacy policy can undermine user trust in your marketplace. Be transparent about your data collection, and users will appreciate it.

CheckNFT by PixelPlex: helping to prevent issues

When creating, selling, and buying NFTs, it is often very difficult for creators, buyers, and investors to make informed decisions with minimal risk.

For creators, the difficulty is that they may not know the market and therefore find it hard to evaluate their work and set a fair price. Another big problem is when NFT scammers publish NFTs using artists’ works without their permission. As for buyers, they must check and analyze large amounts of information to be sure they are buying genuine works and not fakes.

CheckNFT can tackle these problems. This is a business intelligence and data visualization solution designed specifically for NFT enthusiasts. The service analyzes on-chain, social and other metrics and delivers unique insights that can help NFT supporters make decisions. Users can search tokens by NFT or creator’s ID and get information on collectibles and their creators.

Most importantly, CheckNFT can help NFT enthusiasts avoid dangerous situations. The solution alerts users to risks and red flags such as possible fraud, scams, blacklists, wash trades, price manipulation, IPR violations, and NFT duplicates. You can simply check through a summary of risks and save your money and tokens.

It is worth noting that this solution is not the first NFT project for PixelPlex. Its team has been working on blockchain-based applications for years, and building secure NFT marketplaces is currently one of their most popular areas of work.

Conclusion

As of today, the majority of NFT scam cases are not related to blockchain itself. While the technology is quite secure, users continue to lose their tokens and crypto after clicking on malicious links or because they didn’t set up 2FA or only used a hot wallet.

Marketplaces need to work harder to ensure they are secure tech-wise and that their users are aware of all protective measures. In the near future, NFT marketplaces will also have to come up with solutions to protect creators and check if NFTs come from genuine authors. At the same time, they will need to stick to the decentralization principle.

If you already have an NFT marketplace, but it has vulnerabilities or you want to build a new platform from scratch, you can turn to blockchain NFT developers. They will help bring your ideas to life and create a robust and secure NFT marketplace.

The market is growing by leaps and bounds, so get moving to jump on the NFT bandwagon and take advantage of the best opportunities!