Are NFTs secure?
NFTs have been a hype for the past year. Not gonna lie, I don’t really understand why. I know what they are and how they work, but I don’t get why everyone is so excited about them. When I first heard about NFTs, my first thought was: “Are they secure?”. The answer is always the same “Nothing is 100% secure”. So in this post, we will discuss the security issues around NFTs.
What are NFTs?
NFT stands for Non-Fungible Token. By definition, these tokens cannot be replaced; each is unique. For the most part, they are part of the Ethereum blockchain. The token is a certificate of ownership. You can get an NFT of your favorite painting (if you have the money for it), or a token representing a football player, a meme, anything you can think of, even an emoji. What’s the kick? You’re the only one who owns it, no one else can claim it. But if you bought a meme, everyone else has access to it and can use it. Same goes for clips of youtube videos. Worse, what if the artist decides to sell multiple digital copies of their artwork. Your investment which was worth X amount could lose its monetary value. Something I found mindblowing is Hacker Fantastic, who put up a denial of service zero-day exploit NFT for sale. You read that right, you can own an exploit (see the tweet below)! However, nothing stops others from finding this vulnerability and exploiting it.
Are these tokens secure, or can you still get scammed? As always, attackers are super creative and opportunistic. So yeah, you can get scammed. Does it mean you should not invest? That’s not what I’m saying. Buying NFTs is an investment like any other, so do your research before jumping in on the trend.
Cybersecurity and NFTs
Phishing
A very common attack is phishing to get your private key and steal your NFTs by sending them to an attacker-controlled wallet. How does it happen? There are multiple techniques to do so. Attackers can get you to copy your key to an attacker-controlled website that looks exactly like a website you commonly use or get you to install malware on your laptop. To avoid this from happening, be careful where you input your private key, it’s private i.e a secret! Also, use good anti-malware and scan your devices often.
MetaMask tweeted about a phishing bot that offers support by asking you to fill a google form and input your secret recovery phrase. MetaMask reminded users to only get support from within the app to avoid phishing.
Replica and Fake NFT stores
The applications built on or around blockchains are not always secure. You might trust the blockchain, but how do you know if you can trust distributed platforms? There are many events where users got scammed by a fake crypto app or website. Users buy stuff online all the time, and sometimes, they do not receive what they bought. These scams happen very often with crypto marketplaces, they are called exit scams. The platform gets shut down right after some users make a purchase which they never receive.
What stops scammers from putting non-existent NFTs for sale on their marketplace and then never sending the token? Nothing.
You should also watch out for replica stores. These marketplaces look very similar to known NFT marketplaces, but you will not receive your token. The scammers will get your cryptos and steal sensitive info.
Fake NFTs
Someone bought a fake Banksy NFT for 336K GBP (BBC’s article). A fake auction link was posted on the original website banksy.co.uk. He got lucky, the hacker sent back all the money except for the transaction fee of 5000 GBP. Nothing is stopping attackers from claiming an artwork as theirs and selling you a fake certificate of ownership. This certificate is of no value, it’s the same as owning a fake Louis Vuitton bag. This happened with Derek Laufman’s artworks’ (The Verge’s article), someone impersonated him on the website Rarible and even got themselves certified. Before the account was deleted, a user had already purchased an NFT of the artist’s work.
Lesson: be sure that the NFT you are buying is sold by the real artist, company, etc. You can do so by contacting them directly. In the case of the fake Banksy NFT, there are claims that the certified website was hacked. I do not have any recommendation for individuals in this scenario, this should have been caught before the sale happened. Unfortunately, 100% security can’t be guaranteed. However, it’s Banksy we are talking about, so might have been another of his stunts. We’ll just have to wait and see.
NFT Inaccessible
Some people have experienced the vanishment of their NFTs. After logging into their account, they were greeted by a 404 message stating the file they are trying to access cannot be found. WTH! How can this happen when NFTs are logged into the Ethereum blockchain, which is immutable and irreversible? The artwork you purchase is not actually logged into the blockchain, it’s stored somewhere else (could be anywhere). What you’re actually buying is a reference to this file. Basically, you invest in a certificate containing the URL address of the artwork. This vice article cites an interesting analogy, it compares NFT platforms to art galleries’ windows. The art gallery chooses when they want to open or close their windows. Why would they close their windows, though? Apparently, there are a lot of copyright issues, not surprising since artists see their work being stolen often. There might be many other reasons too. In this case, your file still exists, but you cannot display it anymore. Worse, if the file is removed at the source, there is nothing you can do to recover it, the artwork you bought does not exist anymore.
Giveaway Scams: Free NFTs
Scammers have asked crypto enthusiasts to send them some crypto in exchange for more crypto. Have you heard of the rarible scam? People received communication of a rarible giveaway. To participate, they had to send between 500 and 25,000 RARI. They would then receive five times the amount they sent. As you probably guessed, they did not receive anything. Of course, not all giveaways are fake. It’s common to give out free stuff to potential customers. Just be careful. I personally would not send money to get more money. If it’s free, then just give it to me for FREE.
Final Thought
My goal is definitely not to scare you away. I think NFTs are cool even though I don’t grasp all the excitement. It allows artists, especially those working digitally, to get exposure, sell their work and have full control over it. I’m just pointing out that there are security flaws that you should be aware of before jumping in and buying the first NFT you come across. As I said before, you are making an investment, so do your research.
Securely yours,
Kristelle Feghali
