In 2021, total NFT sales grew from $ 1.3 billion in the second quarter to $ 10.7 billion in the third quarter. Sales of collectible NFTs grew much more drastically, over 100 times from $ 55.5 million at the beginning of the year to $ 5.6 billion in the third quarter; even the two most famous auction houses, Sotheby’s and Christie’s, joined the NFT boom and started accepting cryptocurrencies as a payment method, thus allowing wealthy crypto holders to participate as bidders in their auctions.

The rise of the NFT market has certainly not gone unnoticed among hackers, ready to show their ingenuity in an attempt to expropriate or counterfeit non-fungible tokens. There aren’t many cases of smart contract offensive for NFT, but server-based marketplaces have suffered several attacks, some of which have been successful. So, if one day you don’t want to become a victim of this kind of attack yourself, you need to know how to protect yourself.

How to protect yourself from a counterfeit NFT?

To begin with, NFTs cannot be replicated and this is something you can be sure of; NFTs with similar IDs can still be issued, but this must be done by a different smart contract. To verify the authenticity of an NFT, it is necessary to copy the address of the smart contract that coined it and perform a search on the respective blockchain explorer.

If the smart contract is false, it will be marked as unverified and without metadata; if instead the smart contract is valid, you will see it marked as verified and it will contain metadata that unequivocally define the owner of the smart contract and other relevant aspects.

This is all part of normal due diligence, and no smart contract review will help you in this situation.

Keep your NFTs safe

Regarding the security of the NFTs in your possession, remember that they can be stolen, and therefore you must use a safe method to keep them from happening. In this case, the main weakness is the storage of your non-fungible tokens on centralized marketplaces: these platforms are server-based and store your NFTs in a single wallet. So if the hacker logs into your account, he will be able to transfer your NFTs to a different address.

We saw it happen with the Nifty Gateway marketplace in March of this year: on March 14, one of the users of the platform he wrote that someone had stolen his NFTs and then bought over $ 10,000 worth of NFTs dropped that day using his funds. This shows the vulnerability of centralized marketplaces and the threats their users can face.

This kind of problem has nothing to do with the smart contracts that coin NFTs, but rather with the security of the platform; it will therefore be safer to transfer your NFTs to your wallet, over which you have full control.

The recursive attack

The recursive attack (reentrancy attack) is a well-known type of hacker attack that targets the fallback function of Ethereum contracts: in ERC-20 contracts, the fallback functions send Ether, executing transactions that cannot be performed by anyone. other function of a contract; in particular, they perform transactions without additional data.

To perform a recursive attack, the attacker must first map an Ethereum balance to his smart contract; then he can use the fallback function of his smart contract to call the “fetch” command from the smart contract he wants to fetch from; if the smart contract targeted by the hacker performs the transfer before adjusting the balance, the hacker can repeat the “withdraw” command several times and empty the contract.

With smart contracts for NFTs, the fallback function of an NFT contract can call the “fetch” command from another contract to transfer its tokens; the hacker’s smart contract will also need to map a balance so that the target contract can read it before performing the transfer. So, if a recursive attack works on an NFT, the victim will be the seller.

Recursive attacks essentially exploit the order of execution of functions in a smart contract; the most reliable way to protect a contract from this type of attack is by using the so-called “order of execution of the interactions between controls and effects”, which ensures that the function checks the balance first and only then transfers the assets. This is something that a smart contract review can help with, and it is a tool that NFT marketplaces should always employ before distributing their contracts.

In conclusion

Non-fungible tokens are unique and cannot be forged; only a different smart contract can issue a similar NFT, which however will be different and can be identified as such by the address of the contract that coins it. This is something that the buyer should pay attention to: in this case, the revision of the contract cannot help.

Another risk is the danger of theft: tokens can be stolen from NFT’s centralized marketplaces should a hacker gain access to a user’s account. To prevent this from happening, be sure to transfer your NFTs to a wallet controlled by you, not the marketplace. Moreover, marketplaces should take platform security very seriously and follow strict internal protocols, as well as take serious measures against external attacks.

Finally, an NFT smart contract must be audited to verify that it is not vulnerable to a recursive attack; this also applies to marketplaces, given that smart contracts clearly predominate in the issue of NFTs.