Research Summary - Understanding Security Issues in the NFT Ecosystem

TLDR

  • The study investigated security in the NFT marketplaces and the broader NFT ecosystem through comparative, in-depth analysis of top NFT marketplaces.
  • Thirteen critical security, privacy, and usability issues were discovered.
  • These issues include counterfeiting, lack of seller/buyer verification, and a lack of transparency among many others.

Core Research Question

What are general security, privacy, and usability issues within the NFT ecosystem, and how do they affect the industry?

Citation

Das, D., Bose, P., Ruaro, N., Kruegel, C., & Vigna, G. (2021). Understanding Security Issues in the NFT Ecosystem. arXiv preprint arXiv:2111.08893. Available at: 2111.08893v1.pdf (arxiv.org)

Background

  • Non-Fungible Tokens (NFTs): Unique, non-interchangeable digital assets on blockchains. NFTs have various use-cases. Typically they represent assets such as art, collectibles, land, and others.
  • Fungible Tokens: Digital assets that can be easily interchanged. These include digital currencies like Bitcoin, and fiat currencies like US dollar banknotes.
  • Executing an NFT: The exchange of an NFT between a buyer and seller.
  • Smart Contracts: A program constituting ‘if’ and ‘then’ commands executed on a blockchain, for example, the transaction framework with which NFTs are bought and sold.
  • Decentralized applications (DApps): Blockchain program(s) designed for the end user primarily on the Ethereum blockchain, or any other network capable of launching Turing-complete programs.
  • Decentralized autonomous organizations (DAO): A group or community registered on a blockchain, bound by an agreement to be guided by rules encoded into a smart contract.
  • The Ethereum blockchain: A blockchain network that is Turing-complete, allowing for the creation of smart contracts and DApps
  • ERC-20: The first standard interface launched on the Ethereum blockchain, which allows for the creation and exchange of fungible tokens.
  • ERC-721: The first accepted interface for the creation of NFTs on the Ethereum blockchain , that allows for the creation and exchange of tokens that are usually non-interchangeable.
  • Off-Chain storage: The storage of an NFT off of a blockchain network, usually on a centralized server.
  • On-Chain storage: The storage of an NFT on a blockchain network (within the storage capabilities of said network).
  • Decentralized Finance (DeFi): A distributed and decentralized equivalent of the traditional finance system consisting of trading, lending, payments, and other financial services existing on a blockchain network.
  • Non-Fungible Token Marketplaces (NFTMs): Digital platforms designed to create, buy, and sell NFTs through digital transactions. The transactions are made by the buyer with virtual currencies; thereafter authenticated by the NFTMs; and then completed via smart contracts.
  • InterPlanetary File System (IPFS): A permission-less, distributed, and decentralized file system providing storage, and access to several documents, images, websites, links, and other data. The system is available “off-chain”; however, it allows for immutable permanent links in the blockchain.
  • Hardware Wallets (HW): A device that stores digital assets like cryptocurrency, and hosts private keys permitting access to those digital assets. Common examples are the Ledger or Trezor wallets.
  • Software Wallets (SW): A program that holds digital assets in storage in a downloadable format on a hardware device such as a computer or mobile phone. Consequently, SWs are easier to access than HWs but not as secure. MetaMask is an example of an SW.
  • Two-Factor Authentication (2FA): 2FA secures transactions by forcing multi-factor identity proof and verification, usually consisting of a digital certificate security and a one-time password (OTP).
  • Know Your Customer (KYC): The process and the policies used to identify and verify customers to prevent fraud or fraudulent activities.
  • Anti-Money Laundering or Combating the Financing of Terrorism (AML/CFT): Sustaining the integrity and stability of the international financial system through specific processes designed to prevent money laundering and funding of terrorism such as KYC.
  • Minting: The process of converting a file into a digital asset or signature, consequently becoming part of a blockchain network.
  • Levenshtein Distance: Also known as “edit distance,” a string metric for measuring the distance between two sequences.
  • Wash trading: Falsifying market activity. This is usually illegal and achieved by buying and selling (in this case) NFTs by the NFTM to create the perception of high sales and demand.
  • Shill bidding: Influencing the bidding process of an NFT by creating a different account solely for the purpose of submitting inflated bids to influence and spur other buyers to bid higher.
  • Bid shielding: Submitting artificially high bids to make an NFT unattractive to other bidders, and subsequently withdrawing the bid so that a fellow colluder can win the NFT at a lower price in a later auction.
  • Broken chains: URLs that lead to IPFS gateways breaking when the gateway becomes unavailable.

Summary

  • The study provides a systematic overview of the NFT ecosystem, identifying the emergence of NFTs, their protocols, and prominent actors. It covers privacy, security and usability issues in NFT ecosystems.
  • The multi-billion dollar ecosystem for the purchase and sale of NFTs has garnered attention not only from art collectors and gamers, but also from bad actors seeking to exploit security vulnerabilities.
  • The study identifies 8 prominent NFTMs: Opensea, Rarible, Nifty, Axie, Cryptopunks, Sorare, SupeRare, and Foundation.
  • They find security issues involving privacy, usability, and security are prevalent across the ecosystem.
  • The study focuses on the 3 most prominent NFTMs, OpenSea, Rarible, and Sorare.
  • First, they identify 13 security, privacy, and usability issues in the NFTMs (5 of which the study states were previously unknown). They also discover irregularities in NFTM implementations, revealing 5 security bugs in the three largest NFTMs: OpenSea, Rarible, and Sorare.
  • These irregularities consist of two different types of NFT implementation contracts, which are: marketplace contracts and token contracts.
  • The marketplace contracts are an interface between the user and the blockchain, while token contracts are implemented directly.
  • The study also included the discovery and highlight of ways external entities could pose a threat to NTFM users.
  • Finally, the study explains and measures malicious user behaviors such as wash trading, shill bidding, and bid shielding.

Method

  • The study segments the NFT ecosystem into prominent actors: NFTMs, external entities, and users.
  • The analysis of NFTMs consisted of a qualitative and quantitative study collecting 3 types of data across the NFT ecosystem (metadata of NFTs, NFT-related events, and Discord chat messages in corresponding channels) between June 15, 2021, and August 15, 2021.
  • The NFTMs were listed and data retrieved through API access, web scraping, and blockchain parsing while ensuring compliance with market restrictions. The analysis included inspection of Discord servers using specific keywords. A total of 31,000 messages were inspected across 9 channels. Information gathering for the security issues also included Discord investigations, reviewing NFTMs, reviewing previous public security incidents from news sources like blogs and technical reports, and other official NFTM documentation.
  • Identification of issues with external entities involved a comparative analysis of NFTM platforms. The comparative analysis was essential to discover how many NFTs had broken links between their metadata URL and the metadata record (which comprises the image URL of the NFT). Only one third of the more than 12 million digital assets on OpenSea had valid metadata.
  • A measurement study was employed to identify fraudulent user behaviors in NFT transactions. The process to decipher counterfeit NFT creation involved identifying the collections, images, and URLs and conducting computational analysis by measuring the Levenshtein distance (with a shorter distance indicating more significant similarity and a longer distance less similarity). The final stage required a perceptual algorithm and image hashing tool to compare images and detect similar and counterfeit images.
  • Heuristic data modeling revealed trading malpractice such as wash trading, shill bidding, and bid shielding. The model applied to 13,556,332 assets and 353,629,018 events, creating four graphs: a sales graph, a bidding graph, a payment graph, and an asset transfer graph, connecting and revealing relationships and malpractice paths.

Results

  • The study identified 13 issues as security, privacy, and usability concerns in the NFTMs.

https://lh3.googleusercontent.com/BL6W_h_wo8MWEsGsczwkV_1WFFGzD4U2CEN1c-4ufaUZUy6Yk5GgagE_W9k9aXdd8Vqv44mSYP7P22s-fRyXVQAL0aycHbwCemmPCMtrP1m6SURie638s79h7dfwmPqq5gfIA7zv

  • The study identifies 5 security bugs in 3 of the largest NFTMs (OpenSea, Rarible, and Sorare), three of which the identified parties had identified and remedied. The remedied security bugs remain undisclosed due to non-disclosure agreements signed by the authors.
  • The analysis of images and metadata reveals that many old tokens are invalid and do not contain images; consequently, a high number of NFTs have broken chains. This conclusion was reached after reviewing 12,215,650 assets from OpenSea, which returned only 4,393,566 assets with a valid metadata URL.
  • The findings reveal that 98.14% of wash-trade transactions reported point to Rarible, which the authors attribute to malicious users attempting to capture the platform’s $RARI tokens. OpenSea represented 1.71% of its transactions, with Sorare making up the rest of the total. OpenSea and Sorare showed 3,395 instances of shill bidding, while 492 instances of bid shielding involved 745 users across 113 collections on OpenSea (OpenSea and Sorare being the only evidenced platforms).

Discussion and Key Takeaways

  • Importance of Industry Analysis: Analyzing issues in the ecosystem is necessary to prevent loss and maintain industry growth.
  • Pertinence of Issue Resolution: The highlighted security, privacy, and usability issues of NTFMs will only continue to grow if not resolved.
  • Increased Security Standard Across NFTMs: A higher security standard across NFTMs is emphasized in the study.

Implications and Follow-ups

  • The study reveals several issues about the security of transactions and exchanges taking place between creators, buyers, and sellers on NFTMs. Considering the volume of transactions conducted in the NFT ecosystem, understanding security issues will make the ecosystem a safer and more environmentally friendly industry for investment.
  • The notion of making a trustless environment more trustworthy is ironic in this study. History has shown that standardization follows the growth of almost every industry but has moved slowly in NFTMs and the broader blockchain industry.
  • The influx of billions of dollars worth of capital and investments into the NFT system requires stringent compliance and standards, especially across platforms.
  • The study is missing a compliance angle to proffering a solution to the underlying issues of the ecosystem within the main article. Where not entirely legal, security compliance and quality or operating standards should be interoperable within platforms. There is a massive gap in the ecosystem regarding this. The authors did not recommend solutions to the security and ecosystem issues uncovered.
  • A further analysis of the top 15 NFT sales also reveals tax and legal issues.
  • The lack of interoperability across NFTMs is highlighted and can resolve where regulation mandates compliance with standard measures.
  • Accordingly, the discoveries made are essential for corrective measures in the future, especially considering the numerous possibilities NFTs offer.

Applicability

  • This comparative study can help develop patterns and metrics for the NFT ecosystem. Their examination of the NFTMs provides insight into how the ecosystem works and the underlying protocols of the markets.
  • Buyers, sellers, makers, and marketplaces will benefit from paying attention to the security vulnerabilities outlined in this article, so they can develop ways to counter them and avoid financial loss.
  • Data retrieval is needed to compare protocols, platforms, and marketplaces. The comparison allows metrics to be gained, stored, and used to create indices and parameters for future reference and correction.
  • The taxes and regulations around NFTs are unclear. This study can be useful for regulators seeking to better understand the fraudulent behaviors and insider trading of bad actors, and the dangers to the public involved in NFT transactions.
7 Likes

@LTTOguns Congratulations on this very timely research summary. I enjoyed reading it, but it also brought up a question that’s been on my mind for awhile.

You clearly state that “security issues involving privacy, usability, and security are prevalent across the [NFT] ecosystem.” And yet we also learn that the top three NFTMs had a trading volume in excess of $10B USD in the month of September 2021 alone.

How do you account for the willingness of investors to accept insecure systems and fraudulent behavior? Is it simply greed and FOMO ratcheted up by NFTM marketing, or are there other issues in the ecosystem itself? Do we need governmental regulation and oversight to prevent people from literally being robbed by high-tech charlatans?

2 Likes

I agree with Ralph, this was a great read and for me an important introduction to the NFT community’s issues with security. It seems like the wash trading they identified was primarily a means for generating tokens from the NTFMs, was there a sense of how much of a problem wash trading is for pricing? I’m not sure I’m wording that correctly, I’m curious about how inflated NFT prices are. Reading this, it doesn’t seem as crooked as I might have thought although they did look only seem to look at “blue chip” NFTs, in so much as there is such a thing, which might have a little more scrutiny on them as a category. I wonder how much of a problem wash trading and pumping and dumping is for NFTs from less reputable communities.

1 Like

@rlombreglia Thank you so much for your question. The introduction of Bitcoin back in 2008 was beleaguered with major controversy (even till this day). Early adopters of Bitcoin and the underlying technology, like other advancements, have always initially appealed to the illegal community with the likes of Silk Road and the other drug users and activities happening through the dark web[i]. Despite the controversy and challenges, Bitcoin beat all the odds, becoming a high-value digital asset, creating sudden millionaires, consequently creating a crypto mad rush due to FOMO - the fear of missing out on the next big thing. Therefore, the high trading volumes are a direct consequence of this FOMO, notwithstanding the prevalent issues. I do not believe this indicates investors accepting insecure systems and fraudulent behavior. Instead, I think such investors hope governance and regulation will catch up to the process; they invest early, hold, and hope to get significant ROI on their initial investments in this ‘economic drive’ cycle.

[i] Why is bitcoin so controversial?. Bitcoin is a peer to peer… | by Unocoin | Unocoin’s Blog

1 Like

Thank you so much @jmcgirk you raise an important limitation of the research paper. In their revision, the authors recently included the minting, listing, and trading of tokens, including other malpractices such as counterfeiting of NFTs. Another study conducted around the same period indicated that wash trading could be less prominent than initially estimated. However, we do recognize the enormity of these issues.

Wash trading and ‘pumping and dumping’ of NFTs could be a significant issue on less prominent communities NFTMs. The authors, as you mentioned, focused primarily on the Top 3 NFTMs given community attraction and high sales on such platforms. Wash trading, for instance, would typically occur between colluding agents to inflate apparent price/volume[i]. Investigating the NFTMs with the highest volumes could consequently be indicative. A deeper analysis of related NFT wash trades in less prominent communities would be enlightening.

[i] Arash Aloosh and Jiasun Li. “Direct Evidence of Bitcoin Wash Trading”. In: SSRN Electronic Journal (2019). doi: 10.2139/ssrn.3362153. url: Direct Evidence of Bitcoin Wash Trading by Arash Aloosh, Jiasun Li :: SSRN.

2 Likes

Thank you for this fantastic summary! Considering the inherent risks that come with arbitrage, did the study point at any successful regulatory sandboxes or experiments that would be useful as examples in how to approach attempting to regulate (or not to regulate) the risk?

I was fortunate enough to participate in helping the Mauritian government research and design their regulatory sandbox and by proxy the licensing that came after. One of the most recent developments is that Mauritius passed the Virtual Asset & Initial Token Offering Services Act which aims to provide “a comprehensive legislative framework to regulate the new and developing business activities of virtual assets and initial token offerings.”

With all that said, I am not advocating for “regulation” as a panacea for reducing market risk; on the other hand there does seem to be a benefit to creating more welcoming market conditions when there is clear legislation and regulation within a given market. Considering all of the legal issues that have already surfaced with the NFT market with a lack of clarity on how much responsibility an NFT issuing platform has in ensuring no copyrights are being infringed; did the authors make not of the potential for some type of “scam fatigue” to emerge in which a lack of regulation within the market creates conditions in which market abuses kill the inertia in the market?


Considering the available data suggests that interest in NFTs is waning, does the author give any indication as to how regulation could possibly help or hurt interest in NFTs?

4 Likes

@Larry_Bates Thank you so much for your insightful contribution and sharing of your previous projects to shed more light on the summary. Your highlight of a limitation of this paper is also refreshing. The authors, unfortunately, did not recommend any successful regulatory sandboxes or experiments to mitigate the security risks despite the discoveries made or their in-depth perspective of the NFT ecosystem. However, this can be juxtaposed with the restriction encountered by the non-disclosure agreement signed by the authors vis-à-vis potential solutions employed by certain NFTMs. The entire examination of the NFTMs, external entities, and users inadvertently invites the discussion around standardization and regulation (holding all parties responsible for their actions).

The NFT system, like all other decentralized systems, revolves around decentralization. The interference of a central system or method consequently defeats the whole concept. When individuals or parties conversely encounter the security, privacy, or technical issues accompanying the decentralized system, appeal then builds for regulation to mitigate risk. The crux of the matter then becomes how to resolve such issues in a decentralized manner. Meanwhile, the abuses could gravely affect the ecosystem, but we hope that with more research and development, clarity will begin to unfold for all stakeholders.

2 Likes

“The NFT system, like all other decentralized systems, revolves around decentralization. The interference of a central system or method consequently defeats the whole concept.”

I think this statement is internally consistent. The issue becomes, the statement presumes an “all or nothing” state concerning decentralization; which is only necessary when a specific type of decentralization is not alluded to. One of the running conversations on the forum is “what types of decentralization can occur”?

In this context, with the understanding that NFTs seem to be unable to cross the mainstream adoption threshold without some sort of regulatory clarity which area do you think would be most pragmatic for decentralization?

The contracts? The network security layer? The application layer? The regulatory oversight?

It doesn’t seem feasible to try to decentralize every single aspect of a system (unless I am missing something).

2 Likes

This is a brilliant summary. Well done @LTTOguns. I now understand terms like wash trading, shill bidding, et cetera.

There is a lot of practical use cases of NFT, especially as a bridge between developing economies and developed economies. It is thus quite sad that the NFTs ecosystem is now attracting bad actors. Would you say that the ecosystem being susceptible to bad actors is a result of the flaw in its design? Is there a need for governance mechanisms to punish bad actors?

I wonder if smart contracts could be created to enable the closing of the accounts of notorious actors.

There is a popular Nigerian saying that goes like this, “Prevention is better than cure”. Hence, I will read the study to identify patterns of security issues in the NFT Ecosystem and try to avoid being a victim.

3 Likes

How many of these issues would apply for a blockchain like Chia, which has offers, essentially smart contracts that automatically connect a buyer to a seller (so long as they meet the agreed-on price)? It seems like a direct connection between buyer and seller might mitigate many of the trading risks.

3 Likes

Thank you so much @Austin_jul You raise valid questions. To answer your initial question, No… the ecosystems are not necessarily susceptible to bad actors as a result of a flaw in the design. As with the introduction of any new tech, bad actors generally have leeway to take advantage of users due to the initial lack of initial regulation and efficient governance structures. Despite existing regulations bad actors still ravage several tech ecosystems, and so without laws/governance what we are beholding now is the usurping of the gap created. Consequently, the creation of governance mechanisms is pertinent. With regards to Smart Contracts (SCs), I believe they will become more sophisticated as time goes on; especially with cohesion with artificial intelligence patterns and practices. At that point SCs could be able to identify and shut down a percentage of identifiable notorious actors.

Thank you, and Yes! I concur with the Nigerian saying. As many Nigerians will say, it is ‘very necessary’.

3 Likes

@jmcgirk Such automatic connections would likely mitigate trading risks as it would evidently cut out many of the manual manipulative processes. I believe that as smart contracts become smarter we will see a rebirth of them in a new sophisticated way. The convergence of smart contracts with AI and machine learning will be able to connect transactions in new ways including detection and consolidation of transactions automatically. The issue then will be to ensure automatic governance mechanism are ahead of machinations of bad actors.

2 Likes