TLDR
- The study investigated security in the NFT marketplaces and the broader NFT ecosystem through comparative, in-depth analysis of top NFT marketplaces.
- Thirteen critical security, privacy, and usability issues were discovered.
- These issues include counterfeiting, lack of seller/buyer verification, and a lack of transparency among many others.
Core Research Question
What are general security, privacy, and usability issues within the NFT ecosystem, and how do they affect the industry?
Citation
Das, D., Bose, P., Ruaro, N., Kruegel, C., & Vigna, G. (2021). Understanding Security Issues in the NFT Ecosystem. arXiv preprint arXiv:2111.08893. Available at: 2111.08893v1.pdf (arxiv.org)
Background
- Non-Fungible Tokens (NFTs): Unique, non-interchangeable digital assets on blockchains. NFTs have various use-cases. Typically they represent assets such as art, collectibles, land, and others.
- Fungible Tokens: Digital assets that can be easily interchanged. These include digital currencies like Bitcoin, and fiat currencies like US dollar banknotes.
- Executing an NFT: The exchange of an NFT between a buyer and seller.
- Smart Contracts: A program constituting âifâ and âthenâ commands executed on a blockchain, for example, the transaction framework with which NFTs are bought and sold.
- Decentralized applications (DApps): Blockchain program(s) designed for the end user primarily on the Ethereum blockchain, or any other network capable of launching Turing-complete programs.
- Decentralized autonomous organizations (DAO): A group or community registered on a blockchain, bound by an agreement to be guided by rules encoded into a smart contract.
- The Ethereum blockchain: A blockchain network that is Turing-complete, allowing for the creation of smart contracts and DApps
- ERC-20: The first standard interface launched on the Ethereum blockchain, which allows for the creation and exchange of fungible tokens.
- ERC-721: The first accepted interface for the creation of NFTs on the Ethereum blockchain , that allows for the creation and exchange of tokens that are usually non-interchangeable.
- Off-Chain storage: The storage of an NFT off of a blockchain network, usually on a centralized server.
- On-Chain storage: The storage of an NFT on a blockchain network (within the storage capabilities of said network).
- Decentralized Finance (DeFi): A distributed and decentralized equivalent of the traditional finance system consisting of trading, lending, payments, and other financial services existing on a blockchain network.
- Non-Fungible Token Marketplaces (NFTMs): Digital platforms designed to create, buy, and sell NFTs through digital transactions. The transactions are made by the buyer with virtual currencies; thereafter authenticated by the NFTMs; and then completed via smart contracts.
- InterPlanetary File System (IPFS): A permission-less, distributed, and decentralized file system providing storage, and access to several documents, images, websites, links, and other data. The system is available âoff-chainâ; however, it allows for immutable permanent links in the blockchain.
- Hardware Wallets (HW): A device that stores digital assets like cryptocurrency, and hosts private keys permitting access to those digital assets. Common examples are the Ledger or Trezor wallets.
- Software Wallets (SW): A program that holds digital assets in storage in a downloadable format on a hardware device such as a computer or mobile phone. Consequently, SWs are easier to access than HWs but not as secure. MetaMask is an example of an SW.
- Two-Factor Authentication (2FA): 2FA secures transactions by forcing multi-factor identity proof and verification, usually consisting of a digital certificate security and a one-time password (OTP).
- Know Your Customer (KYC): The process and the policies used to identify and verify customers to prevent fraud or fraudulent activities.
- Anti-Money Laundering or Combating the Financing of Terrorism (AML/CFT): Sustaining the integrity and stability of the international financial system through specific processes designed to prevent money laundering and funding of terrorism such as KYC.
- Minting: The process of converting a file into a digital asset or signature, consequently becoming part of a blockchain network.
- Levenshtein Distance: Also known as âedit distance,â a string metric for measuring the distance between two sequences.
- Wash trading: Falsifying market activity. This is usually illegal and achieved by buying and selling (in this case) NFTs by the NFTM to create the perception of high sales and demand.
- Shill bidding: Influencing the bidding process of an NFT by creating a different account solely for the purpose of submitting inflated bids to influence and spur other buyers to bid higher.
- Bid shielding: Submitting artificially high bids to make an NFT unattractive to other bidders, and subsequently withdrawing the bid so that a fellow colluder can win the NFT at a lower price in a later auction.
- Broken chains: URLs that lead to IPFS gateways breaking when the gateway becomes unavailable.
Summary
- The study provides a systematic overview of the NFT ecosystem, identifying the emergence of NFTs, their protocols, and prominent actors. It covers privacy, security and usability issues in NFT ecosystems.
- The multi-billion dollar ecosystem for the purchase and sale of NFTs has garnered attention not only from art collectors and gamers, but also from bad actors seeking to exploit security vulnerabilities.
- The study identifies 8 prominent NFTMs: Opensea, Rarible, Nifty, Axie, Cryptopunks, Sorare, SupeRare, and Foundation.
- They find security issues involving privacy, usability, and security are prevalent across the ecosystem.
- The study focuses on the 3 most prominent NFTMs, OpenSea, Rarible, and Sorare.
- First, they identify 13 security, privacy, and usability issues in the NFTMs (5 of which the study states were previously unknown). They also discover irregularities in NFTM implementations, revealing 5 security bugs in the three largest NFTMs: OpenSea, Rarible, and Sorare.
- These irregularities consist of two different types of NFT implementation contracts, which are: marketplace contracts and token contracts.
- The marketplace contracts are an interface between the user and the blockchain, while token contracts are implemented directly.
- The study also included the discovery and highlight of ways external entities could pose a threat to NTFM users.
- Finally, the study explains and measures malicious user behaviors such as wash trading, shill bidding, and bid shielding.
Method
- The study segments the NFT ecosystem into prominent actors: NFTMs, external entities, and users.
- The analysis of NFTMs consisted of a qualitative and quantitative study collecting 3 types of data across the NFT ecosystem (metadata of NFTs, NFT-related events, and Discord chat messages in corresponding channels) between June 15, 2021, and August 15, 2021.
- The NFTMs were listed and data retrieved through API access, web scraping, and blockchain parsing while ensuring compliance with market restrictions. The analysis included inspection of Discord servers using specific keywords. A total of 31,000 messages were inspected across 9 channels. Information gathering for the security issues also included Discord investigations, reviewing NFTMs, reviewing previous public security incidents from news sources like blogs and technical reports, and other official NFTM documentation.
- Identification of issues with external entities involved a comparative analysis of NFTM platforms. The comparative analysis was essential to discover how many NFTs had broken links between their metadata URL and the metadata record (which comprises the image URL of the NFT). Only one third of the more than 12 million digital assets on OpenSea had valid metadata.
- A measurement study was employed to identify fraudulent user behaviors in NFT transactions. The process to decipher counterfeit NFT creation involved identifying the collections, images, and URLs and conducting computational analysis by measuring the Levenshtein distance (with a shorter distance indicating more significant similarity and a longer distance less similarity). The final stage required a perceptual algorithm and image hashing tool to compare images and detect similar and counterfeit images.
- Heuristic data modeling revealed trading malpractice such as wash trading, shill bidding, and bid shielding. The model applied to 13,556,332 assets and 353,629,018 events, creating four graphs: a sales graph, a bidding graph, a payment graph, and an asset transfer graph, connecting and revealing relationships and malpractice paths.
Results
- The study identified 13 issues as security, privacy, and usability concerns in the NFTMs.
- The study identifies 5 security bugs in 3 of the largest NFTMs (OpenSea, Rarible, and Sorare), three of which the identified parties had identified and remedied. The remedied security bugs remain undisclosed due to non-disclosure agreements signed by the authors.
- The analysis of images and metadata reveals that many old tokens are invalid and do not contain images; consequently, a high number of NFTs have broken chains. This conclusion was reached after reviewing 12,215,650 assets from OpenSea, which returned only 4,393,566 assets with a valid metadata URL.
- The findings reveal that 98.14% of wash-trade transactions reported point to Rarible, which the authors attribute to malicious users attempting to capture the platformâs $RARI tokens. OpenSea represented 1.71% of its transactions, with Sorare making up the rest of the total. OpenSea and Sorare showed 3,395 instances of shill bidding, while 492 instances of bid shielding involved 745 users across 113 collections on OpenSea (OpenSea and Sorare being the only evidenced platforms).
Discussion and Key Takeaways
- Importance of Industry Analysis: Analyzing issues in the ecosystem is necessary to prevent loss and maintain industry growth.
- Pertinence of Issue Resolution: The highlighted security, privacy, and usability issues of NTFMs will only continue to grow if not resolved.
- Increased Security Standard Across NFTMs: A higher security standard across NFTMs is emphasized in the study.
Implications and Follow-ups
- The study reveals several issues about the security of transactions and exchanges taking place between creators, buyers, and sellers on NFTMs. Considering the volume of transactions conducted in the NFT ecosystem, understanding security issues will make the ecosystem a safer and more environmentally friendly industry for investment.
- The notion of making a trustless environment more trustworthy is ironic in this study. History has shown that standardization follows the growth of almost every industry but has moved slowly in NFTMs and the broader blockchain industry.
- The influx of billions of dollars worth of capital and investments into the NFT system requires stringent compliance and standards, especially across platforms.
- The study is missing a compliance angle to proffering a solution to the underlying issues of the ecosystem within the main article. Where not entirely legal, security compliance and quality or operating standards should be interoperable within platforms. There is a massive gap in the ecosystem regarding this. The authors did not recommend solutions to the security and ecosystem issues uncovered.
- A further analysis of the top 15 NFT sales also reveals tax and legal issues.
- The lack of interoperability across NFTMs is highlighted and can resolve where regulation mandates compliance with standard measures.
- Accordingly, the discoveries made are essential for corrective measures in the future, especially considering the numerous possibilities NFTs offer.
Applicability
- This comparative study can help develop patterns and metrics for the NFT ecosystem. Their examination of the NFTMs provides insight into how the ecosystem works and the underlying protocols of the markets.
- Buyers, sellers, makers, and marketplaces will benefit from paying attention to the security vulnerabilities outlined in this article, so they can develop ways to counter them and avoid financial loss.
- Data retrieval is needed to compare protocols, platforms, and marketplaces. The comparison allows metrics to be gained, stored, and used to create indices and parameters for future reference and correction.
- The taxes and regulations around NFTs are unclear. This study can be useful for regulators seeking to better understand the fraudulent behaviors and insider trading of bad actors, and the dangers to the public involved in NFT transactions.