NFT Exploits: Exploring Digital Asset Risk

The world of non-fungible tokens (NFTs) has seen a significant surge in popularity in recent years, with scores of individuals and organizations participating by buying, selling, and creating NFTs. Research from Statista suggests that the NFT market is worth approximately $3.5 billion in 2023. While already large, the NFT market is expected to grow at a 33.7% CAGR over the next eight years and reach a total market size of $231 billion by 2030 according to a report by Verified Market Research.

Why Hackers are Targeting NFTs

The rising popularity of NFTs has unfortunately garnered the attention of bad actors hunting for their next big score. In response to growing consumer demand many tokens have been created, but to get to market faster many have failed to implement proper security measures. As the value of NFTs grows and their presence in the marketplace increases, hackers will attempt to capitalize on the vulnerabilities of tokens.

Additionally, the lack of comprehensive NFT compliance measures puts users at a significant risk. Users are not able to easily understand the true value of NFTs, which often derive their valuation based on total volume transacted. Unfortunately, the volume of NFTs can easily be tampered with using creative wash trading — a practice in which a trader buys and sells a security for the express purpose of feeding misleading information to the market. A pertinent example of this is the case of LooksRare, an NFT marketplace that outperformed OpenSea in terms of total volume transacted but was later revealed to have 95% of its trading activity stem from wash trading.

Considering the high value that some NFTs can reach, hackers view NFTs as a lucrative opportunity to make money quickly by exploiting their vulnerabilities such as weak authentication or insecure protocols. By attacking NFT tokens and wallets, hackers can not only steal NFTs but also access the financial resources associated with them such as cryptocurrency.

Nefarious actors are targeting NFTs because they represent a wide range of high-value assets, the market is relatively new and largely unregulated, and because NFT hacks offer a high ROI as millions of dollars can be stolen in just a single attack.

Next, we will take a closer look at recent NFT hacks and the common vulnerabilities being exploited.

Recent NFT Hacks

The ascension of NFTs has brought with it a number of high-profile NFT hacks and related breaches. In February 2021, the popular NFT marketplace Rarible was hacked resulting in the theft of over $2 million worth of NFTs. In March 2021, a hacker exploited a vulnerability in the smart contract of the popular NFT project Sorare, resulting in the theft of over $14 million worth of NFTs.

In 2022, available data suggests that the number of hacks have increased as well as their severity. The top 5 NFT hacks that occurred in 2022 are:

1) $180.7 million was stolen from Lympo. Hot wallet hacks in January 2022 cost the NFT sports mining platform, a division of Animoca Brands, 165.2 million LMT tokens.

2) Farmers World lost $15.7M. Farmers World, a game on the WAX cryptocurrency network, was hacked in November 2021 causing a loss of more than ¥100 million ($15.7 million). Some experts, however, believe that the actual amount could be close to $45 million..

3) The Bored Ape Yacht Club lost $13 million. The creators of the Bored Ape Yacht Club collection were robbed in April 2022. Hackers compromised an Instagram account to commit the theft. Other developers including Mutant Apes, Azuki, Otherside, and CloneX tokens also fell victim to scammers, though in different incidents.

4) $10 million was stolen from DragonSB Finance. Hackers broke into the smart contract of the company that created this game project in April 2022.

5) OpenSea lost $3.44 million. Hackers used a phishing attack in February 2022 to take over 1,200 ETH from the NFT marketplace.

Next, we will explore common vulnerabilities exploited by hackers.

Key NFT Vulnerabilities

The key vulnerabilities that are being exploited by hackers in NFT-related hacks include:

Smart contract vulnerabilities:

Many NFT projects are built on top of smart contracts, which are self-executing contracts with the terms of the agreement written into code. Hackers are able to exploit vulnerabilities in these smart contracts to steal NFTs or manipulate their underlying assets.

Hackers can exploit smart contracts in NFT hacks by finding and exploiting vulnerabilities in the code. There are a few different ways that hackers can exploit smart contracts to steal NFTs or manipulate their underlying assets:

1. Re-entrancy attacks: A re-entrancy attack occurs when a malicious contract is able to repeatedly call itself, potentially draining the balance of the contract it is calling. This can be used to steal tokens or manipulate the balance of an NFT contract.
2. Front-running: Front-running occurs when a malicious contract is able to execute a transaction before others, potentially allowing the attacker to buy or sell NFTs at a favorable price.
3. Unchecked return values: If a smart contract doesn’t check the return values of external calls, an attacker can manipulate the contract’s state by returning unexpected values.
4. Lack of access controls: Smart contracts should have proper access controls to prevent unauthorized parties from executing certain functions, but if these controls are not implemented, an attacker can potentially execute any function in the contract.

Lack of authenticity:

Fraud is another reason why hackers target NFTs. Scammers can create fake NFT marketplaces and projects, and entice buyers to invest in them with the promise of high returns. Once buyers have invested, the scammers disappear, leaving buyers with worthless assets.

Lack of security measures:

Another common reason why NFTs are exploited is their lack of security. Many NFT projects are built on top of smart contracts, which are self-executing contracts with the terms of the agreement written into code. However, the code is not always open-source, and it can be difficult for buyers to verify the authenticity of an NFT. This lack of transparency in security can make it easy for hackers to create and sell counterfeit NFTs, which can be difficult for buyers to detect. Furthermore, there aren’t any specific regulations around NFT compliance which again puts the user at risk. There have been many instances when NFTs have turned out to be dupes or copies and not the actual ones. Verifying the authenticity of the NFTs is also complicated as these digital iterations are produced in abundance to confuse users.

Wash trading:

As the NFT market is relatively new and largely unregulated, it can be easy for individuals and groups to manipulate the prices of NFTs through wash trading and other manipulative practices. This can make certain NFTs appear more valuable than they actually are, making them an attractive target for hackers looking to make a quick profit. They quickly swap the NFT and are able to gain good profits from the trade.

The NFTs are usually swapped into crypto assets using NFT marketplaces that easily provide this service. This further leads to money laundering as the initial process of NFT price manipulation goes in abundance. The lack of AML for NFTs in particular has paved the way for such a process.

Wash trading is a form of market manipulation in which an investor simultaneously sells and buys the same financial instruments to create the appearance of increased trading volume, which can artificially inflate prices. In the context of NFTs, this can happen when a group of individuals or entities collude to buy and sell the same NFTs repeatedly, creating the illusion of high demand and driving up prices. Once prices are artificially inflated, the manipulators can then sell their NFTs at a profit, leaving unsuspecting buyers with overpriced assets.

Securing NFTs Moving Forward

Hackers are increasingly targeting Non-Fungible Tokens (NFTs) due to the potential for large financial gains and the lack of robust NFT compliance regulation. NFTs have become extremely popular in recent years, as they allow users to own digital assets that can be easily traded and certified on public blockchains like Ethereum. As a result, hackers view them as lucrative targets because they can access wealth through even small amounts of stolen tokens.

Furthermore, since many NFT transactions are conducted with minimal security practices or knowledge by nontechnical users, hackers may find it easy to exploit vulnerabilities in smart contracts associated with these tokens. Another reason why attackers target NFTs is that their high liquidity makes them attractive investments for malicious actors looking for quick returns on their illegal activities.

Some platforms where these digital assets trade do not properly screen buyers and sellers which allows bad actors to more easily infiltrate marketplaces and steal cryptocurrency funds from unsuspecting investors who don’t understand how the technology works or its risks. If marketplaces employ AML for NFTs, there is a strong possibility that these transactions will deplete and user funds can be safeguarded.

A key compliance requirement is to prevent unauthorized use of an organization’s digital assets. This helps counter the threats of money laundering, terrorist financing, and the interface between AML and cybersecurity.

The analysis and planning phases of the AML process can help focus the review of risk management processes in the areas that pose the greatest risk for money laundering and terrorist financing. AML procedures include a review of information to ensure compliance with all legal standards and sanctions to address potential trade finance vulnerabilities vulnerable to documented counterfeiting related to money laundering as well as illegal activities. Additionally, compliance officers protect their organization’s digital assets by employing robust cybersecurity measures, such as Regular software and security system updates, apply industry best practices and ensure continuous monitoring for unusual activity AML measures such as transaction monitoring and customer due diligence.

Clearly, there is great incentive for hackers to target NFTs; however, this should not deter legitimate users from taking part in this potentially profitable asset class if proper security measures are implemented along with sufficient education about the technology being used.

Despite recent volatility, one thing remains clear: NFTs are not going anywhere, and neither will the criminals who are exploiting them.