The study investigated security in the NFT marketplaces and the broader NFT ecosystem through comparative, in-depth analysis of top NFT marketplaces.
Thirteen critical security, privacy, and usability issues were discovered.
These issues include counterfeiting, lack of seller/buyer verification, and a lack of transparency among many others.
Core Research Question
What are general security, privacy, and usability issues within the NFT ecosystem, and how do they affect the industry?
Citation
Das, D., Bose, P., Ruaro, N., Kruegel, C., & Vigna, G. (2021). Understanding Security Issues in the NFT Ecosystem. arXiv preprint arXiv:2111.08893. Available at: 2111.08893v1.pdf (arxiv.org)
Background
Non-Fungible Tokens (NFTs): Unique, non-interchangeable digital assets on blockchains. NFTs have various use-cases. Typically they represent assets such as art, collectibles, land, and others.
Fungible Tokens: Digital assets that can be easily interchanged. These include digital currencies like Bitcoin, and fiat currencies like US dollar banknotes.
Executing an NFT: The exchange of an NFT between a buyer and seller.
Smart Contracts: A program constituting âifâ and âthenâ commands executed on a blockchain, for example, the transaction framework with which NFTs are bought and sold.
Decentralized applications (DApps): Blockchain program(s) designed for the end user primarily on the Ethereum blockchain, or any other network capable of launching Turing-complete programs.
Decentralized autonomous organizations (DAO): A group or community registered on a blockchain, bound by an agreement to be guided by rules encoded into a smart contract.
The Ethereum blockchain: A blockchain network that is Turing-complete, allowing for the creation of smart contracts and DApps
ERC-20: The first standard interface launched on the Ethereum blockchain, which allows for the creation and exchange of fungible tokens.
ERC-721: The first accepted interface for the creation of NFTs on the Ethereum blockchain , that allows for the creation and exchange of tokens that are usually non-interchangeable.
Off-Chain storage: The storage of an NFT off of a blockchain network, usually on a centralized server.
On-Chain storage: The storage of an NFT on a blockchain network (within the storage capabilities of said network).
Decentralized Finance (DeFi): A distributed and decentralized equivalent of the traditional finance system consisting of trading, lending, payments, and other financial services existing on a blockchain network.
Non-Fungible Token Marketplaces (NFTMs): Digital platforms designed to create, buy, and sell NFTs through digital transactions. The transactions are made by the buyer with virtual currencies; thereafter authenticated by the NFTMs; and then completed via smart contracts.
InterPlanetary File System (IPFS): A permission-less, distributed, and decentralized file system providing storage, and access to several documents, images, websites, links, and other data. The system is available âoff-chainâ; however, it allows for immutable permanent links in the blockchain.
Hardware Wallets (HW): A device that stores digital assets like cryptocurrency, and hosts private keys permitting access to those digital assets. Common examples are the Ledger or Trezor wallets.
Software Wallets (SW): A program that holds digital assets in storage in a downloadable format on a hardware device such as a computer or mobile phone. Consequently, SWs are easier to access than HWs but not as secure. MetaMask is an example of an SW.
Two-Factor Authentication (2FA): 2FA secures transactions by forcing multi-factor identity proof and verification, usually consisting of a digital certificate security and a one-time password (OTP).
Know Your Customer (KYC): The process and the policies used to identify and verify customers to prevent fraud or fraudulent activities.
Anti-Money Laundering or Combating the Financing of Terrorism (AML/CFT): Sustaining the integrity and stability of the international financial system through specific processes designed to prevent money laundering and funding of terrorism such as KYC.
Minting: The process of converting a file into a digital asset or signature, consequently becoming part of a blockchain network.
Levenshtein Distance: Also known as âedit distance,â a string metric for measuring the distance between two sequences.
Wash trading: Falsifying market activity. This is usually illegal and achieved by buying and selling (in this case) NFTs by the NFTM to create the perception of high sales and demand.
Shill bidding: Influencing the bidding process of an NFT by creating a different account solely for the purpose of submitting inflated bids to influence and spur other buyers to bid higher.
Bid shielding: Submitting artificially high bids to make an NFT unattractive to other bidders, and subsequently withdrawing the bid so that a fellow colluder can win the NFT at a lower price in a later auction.
Broken chains: URLs that lead to IPFS gateways breaking when the gateway becomes unavailable.
Summary
The study provides a systematic overview of the NFT ecosystem, identifying the emergence of NFTs, their protocols, and prominent actors. It covers privacy, security and usability issues in NFT ecosystems.
The multi-billion dollar ecosystem for the purchase and sale of NFTs has garnered attention not only from art collectors and gamers, but also from bad actors seeking to exploit security vulnerabilities.
The study identifies 8 prominent NFTMs: Opensea, Rarible, Nifty, Axie, Cryptopunks, Sorare, SupeRare, and Foundation.
They find security issues involving privacy, usability, and security are prevalent across the ecosystem.
The study focuses on the 3 most prominent NFTMs, OpenSea, Rarible, and Sorare.
First, they identify 13 security, privacy, and usability issues in the NFTMs (5 of which the study states were previously unknown). They also discover irregularities in NFTM implementations, revealing 5 security bugs in the three largest NFTMs: OpenSea, Rarible, and Sorare.
These irregularities consist of two different types of NFT implementation contracts, which are: marketplace contracts and token contracts.
The marketplace contracts are an interface between the user and the blockchain, while token contracts are implemented directly.
The study also included the discovery and highlight of ways external entities could pose a threat to NTFM users.
Finally, the study explains and measures malicious user behaviors such as wash trading, shill bidding, and bid shielding.
Method
The study segments the NFT ecosystem into prominent actors: NFTMs, external entities, and users.
The analysis of NFTMs consisted of a qualitative and quantitative study collecting 3 types of data across the NFT ecosystem (metadata of NFTs, NFT-related events, and Discord chat messages in corresponding channels) between June 15, 2021, and August 15, 2021.
The NFTMs were listed and data retrieved through API access, web scraping, and blockchain parsing while ensuring compliance with market restrictions. The analysis included inspection of Discord servers using specific keywords. A total of 31,000 messages were inspected across 9 channels. Information gathering for the security issues also included Discord investigations, reviewing NFTMs, reviewing previous public security incidents from news sources like blogs and technical reports, and other official NFTM documentation.
Identification of issues with external entities involved a comparative analysis of NFTM platforms. The comparative analysis was essential to discover how many NFTs had broken links between their metadata URL and the metadata record (which comprises the image URL of the NFT). Only one third of the more than 12 million digital assets on OpenSea had valid metadata.
A measurement study was employed to identify fraudulent user behaviors in NFT transactions. The process to decipher counterfeit NFT creation involved identifying the collections, images, and URLs and conducting computational analysis by measuring the Levenshtein distance (with a shorter distance indicating more significant similarity and a longer distance less similarity). The final stage required a perceptual algorithm and image hashing tool to compare images and detect similar and counterfeit images.
Heuristic data modeling revealed trading malpractice such as wash trading, shill bidding, and bid shielding. The model applied to 13,556,332 assets and 353,629,018 events, creating four graphs: a sales graph, a bidding graph, a payment graph, and an asset transfer graph, connecting and revealing relationships and malpractice paths.
Results
The study identified 13 issues as security, privacy, and usability concerns in the NFTMs.
The study identifies 5 security bugs in 3 of the largest NFTMs (OpenSea, Rarible, and Sorare), three of which the identified parties had identified and remedied. The remedied security bugs remain undisclosed due to non-disclosure agreements signed by the authors.
The analysis of images and metadata reveals that many old tokens are invalid and do not contain images; consequently, a high number of NFTs have broken chains. This conclusion was reached after reviewing 12,215,650 assets from OpenSea, which returned only 4,393,566 assets with a valid metadata URL.
The findings reveal that 98.14% of wash-trade transactions reported point to Rarible, which the authors attribute to malicious users attempting to capture the platformâs $RARI tokens. OpenSea represented 1.71% of its transactions, with Sorare making up the rest of the total. OpenSea and Sorare showed 3,395 instances of shill bidding, while 492 instances of bid shielding involved 745 users across 113 collections on OpenSea (OpenSea and Sorare being the only evidenced platforms).
Discussion and Key Takeaways
Importance of Industry Analysis: Analyzing issues in the ecosystem is necessary to prevent loss and maintain industry growth.
Pertinence of Issue Resolution: The highlighted security, privacy, and usability issues of NTFMs will only continue to grow if not resolved.
Increased Security Standard Across NFTMs: A higher security standard across NFTMs is emphasized in the study.
Implications and Follow-ups
The study reveals several issues about the security of transactions and exchanges taking place between creators, buyers, and sellers on NFTMs. Considering the volume of transactions conducted in the NFT ecosystem, understanding security issues will make the ecosystem a safer and more environmentally friendly industry for investment.
The notion of making a trustless environment more trustworthy is ironic in this study. History has shown that standardization follows the growth of almost every industry but has moved slowly in NFTMs and the broader blockchain industry.
The influx of billions of dollars worth of capital and investments into the NFT system requires stringent compliance and standards, especially across platforms.
The study is missing a compliance angle to proffering a solution to the underlying issues of the ecosystem within the main article. Where not entirely legal, security compliance and quality or operating standards should be interoperable within platforms. There is a massive gap in the ecosystem regarding this. The authors did not recommend solutions to the security and ecosystem issues uncovered.
A further analysis of the top 15 NFT sales also reveals tax and legal issues.
The lack of interoperability across NFTMs is highlighted and can resolve where regulation mandates compliance with standard measures.
Accordingly, the discoveries made are essential for corrective measures in the future, especially considering the numerous possibilities NFTs offer.
Applicability
This comparative study can help develop patterns and metrics for the NFT ecosystem. Their examination of the NFTMs provides insight into how the ecosystem works and the underlying protocols of the markets.
Buyers, sellers, makers, and marketplaces will benefit from paying attention to the security vulnerabilities outlined in this article, so they can develop ways to counter them and avoid financial loss.
Data retrieval is needed to compare protocols, platforms, and marketplaces. The comparison allows metrics to be gained, stored, and used to create indices and parameters for future reference and correction.
The taxes and regulations around NFTs are unclear. This study can be useful for regulators seeking to better understand the fraudulent behaviors and insider trading of bad actors, and the dangers to the public involved in NFT transactions.
@LTTOguns Congratulations on this very timely research summary. I enjoyed reading it, but it also brought up a question thatâs been on my mind for awhile.
You clearly state that âsecurity issues involving privacy, usability, and security are prevalent across the [NFT] ecosystem.â And yet we also learn that the top three NFTMs had a trading volume in excess of $10B USD in the month of September 2021 alone.
How do you account for the willingness of investors to accept insecure systems and fraudulent behavior? Is it simply greed and FOMO ratcheted up by NFTM marketing, or are there other issues in the ecosystem itself? Do we need governmental regulation and oversight to prevent people from literally being robbed by high-tech charlatans?
I agree with Ralph, this was a great read and for me an important introduction to the NFT communityâs issues with security. It seems like the wash trading they identified was primarily a means for generating tokens from the NTFMs, was there a sense of how much of a problem wash trading is for pricing? Iâm not sure Iâm wording that correctly, Iâm curious about how inflated NFT prices are. Reading this, it doesnât seem as crooked as I might have thought although they did look only seem to look at âblue chipâ NFTs, in so much as there is such a thing, which might have a little more scrutiny on them as a category. I wonder how much of a problem wash trading and pumping and dumping is for NFTs from less reputable communities.
@rlombreglia Thank you so much for your question. The introduction of Bitcoin back in 2008 was beleaguered with major controversy (even till this day). Early adopters of Bitcoin and the underlying technology, like other advancements, have always initially appealed to the illegal community with the likes of Silk Road and the other drug users and activities happening through the dark web[i]. Despite the controversy and challenges, Bitcoin beat all the odds, becoming a high-value digital asset, creating sudden millionaires, consequently creating a crypto mad rush due to FOMO - the fear of missing out on the next big thing. Therefore, the high trading volumes are a direct consequence of this FOMO, notwithstanding the prevalent issues. I do not believe this indicates investors accepting insecure systems and fraudulent behavior. Instead, I think such investors hope governance and regulation will catch up to the process; they invest early, hold, and hope to get significant ROI on their initial investments in this âeconomic driveâ cycle.
Thank you so much @jmcgirk you raise an important limitation of the research paper. In their revision, the authors recently included the minting, listing, and trading of tokens, including other malpractices such as counterfeiting of NFTs. Another study conducted around the same period indicated that wash trading could be less prominent than initially estimated. However, we do recognize the enormity of these issues.
Wash trading and âpumping and dumpingâ of NFTs could be a significant issue on less prominent communities NFTMs. The authors, as you mentioned, focused primarily on the Top 3 NFTMs given community attraction and high sales on such platforms. Wash trading, for instance, would typically occur between colluding agents to inflate apparent price/volume[i]. Investigating the NFTMs with the highest volumes could consequently be indicative. A deeper analysis of related NFT wash trades in less prominent communities would be enlightening.
Thank you for this fantastic summary! Considering the inherent risks that come with arbitrage, did the study point at any successful regulatory sandboxes or experiments that would be useful as examples in how to approach attempting to regulate (or not to regulate) the risk?
With all that said, I am not advocating for âregulationâ as a panacea for reducing market risk; on the other hand there does seem to be a benefit to creating more welcoming market conditions when there is clear legislation and regulation within a given market. Considering all of the legal issues that have already surfaced with the NFT market with a lack of clarity on how much responsibility an NFT issuing platform has in ensuring no copyrights are being infringed; did the authors make not of the potential for some type of âscam fatigueâ to emerge in which a lack of regulation within the market creates conditions in which market abuses kill the inertia in the market?
Considering the available data suggests that interest in NFTs is waning, does the author give any indication as to how regulation could possibly help or hurt interest in NFTs?
@Larry_Bates Thank you so much for your insightful contribution and sharing of your previous projects to shed more light on the summary. Your highlight of a limitation of this paper is also refreshing. The authors, unfortunately, did not recommend any successful regulatory sandboxes or experiments to mitigate the security risks despite the discoveries made or their in-depth perspective of the NFT ecosystem. However, this can be juxtaposed with the restriction encountered by the non-disclosure agreement signed by the authors vis-Ă -vis potential solutions employed by certain NFTMs. The entire examination of the NFTMs, external entities, and users inadvertently invites the discussion around standardization and regulation (holding all parties responsible for their actions).
The NFT system, like all other decentralized systems, revolves around decentralization. The interference of a central system or method consequently defeats the whole concept. When individuals or parties conversely encounter the security, privacy, or technical issues accompanying the decentralized system, appeal then builds for regulation to mitigate risk. The crux of the matter then becomes how to resolve such issues in a decentralized manner. Meanwhile, the abuses could gravely affect the ecosystem, but we hope that with more research and development, clarity will begin to unfold for all stakeholders.
âThe NFT system, like all other decentralized systems, revolves around decentralization. The interference of a central system or method consequently defeats the whole concept.â
I think this statement is internally consistent. The issue becomes, the statement presumes an âall or nothingâ state concerning decentralization; which is only necessary when a specific type of decentralization is not alluded to. One of the running conversations on the forum is âwhat types of decentralization can occurâ?
In this context, with the understanding that NFTs seem to be unable to cross the mainstream adoption threshold without some sort of regulatory clarity which area do you think would be most pragmatic for decentralization?
The contracts? The network security layer? The application layer? The regulatory oversight?
It doesnât seem feasible to try to decentralize every single aspect of a system (unless I am missing something).
This is a brilliant summary. Well done @LTTOguns. I now understand terms like wash trading, shill bidding, et cetera.
There is a lot of practical use cases of NFT, especially as a bridge between developing economies and developed economies. It is thus quite sad that the NFTs ecosystem is now attracting bad actors. Would you say that the ecosystem being susceptible to bad actors is a result of the flaw in its design? Is there a need for governance mechanisms to punish bad actors?
I wonder if smart contracts could be created to enable the closing of the accounts of notorious actors.
There is a popular Nigerian saying that goes like this, âPrevention is better than cureâ. Hence, I will read the study to identify patterns of security issues in the NFT Ecosystem and try to avoid being a victim.
How many of these issues would apply for a blockchain like Chia, which has offers, essentially smart contracts that automatically connect a buyer to a seller (so long as they meet the agreed-on price)? It seems like a direct connection between buyer and seller might mitigate many of the trading risks.
Thank you so much @Austin_jul You raise valid questions. To answer your initial question, No⌠the ecosystems are not necessarily susceptible to bad actors as a result of a flaw in the design. As with the introduction of any new tech, bad actors generally have leeway to take advantage of users due to the initial lack of initial regulation and efficient governance structures. Despite existing regulations bad actors still ravage several tech ecosystems, and so without laws/governance what we are beholding now is the usurping of the gap created. Consequently, the creation of governance mechanisms is pertinent. With regards to Smart Contracts (SCs), I believe they will become more sophisticated as time goes on; especially with cohesion with artificial intelligence patterns and practices. At that point SCs could be able to identify and shut down a percentage of identifiable notorious actors.
Thank you, and Yes! I concur with the Nigerian saying. As many Nigerians will say, it is âvery necessaryâ.
@jmcgirk Such automatic connections would likely mitigate trading risks as it would evidently cut out many of the manual manipulative processes. I believe that as smart contracts become smarter we will see a rebirth of them in a new sophisticated way. The convergence of smart contracts with AI and machine learning will be able to connect transactions in new ways including detection and consolidation of transactions automatically. The issue then will be to ensure automatic governance mechanism are ahead of machinations of bad actors.
Iâm particularly interested in the decentralization aspect of the NFT ecosystem. It is sad but true that NFT marketplaces are not fully decentralized, therefore giving marketplace custodians an edge to things like wash trading, front running, etc.
Even though one can argue that NFTs are implemented on public blockchains and that the tokens are stored on chain, the files and documents associated with these tokens are stored off chain in centralized databases. These databases are a single point of failure amongst several other things that could go wrong.
It is alarming that these security issues are numerous and multiply everyday. It is possible to mitigate some of these issues by implementing fully decentralized NFT marketplaces. Most of the NFT marketplaces present are not fully decentralized. A research into how NFT marketplaces store data by Jonty reveals and confirms that Beepleâs âEveryday: the First 5000 Daysâ is stored in a centralized database.
Thank you @Ulysses the single point of failure of centralized storage systems is actually quite rampant and notorious. The light weightinessâ necessity for decentralized storage systems continually fuels the need for off-chain storage. The ongoing innovations within the ecosystem will reveal sustainable solutions over time. Quite interesting to follow as you stated.
@LTTOguns , the summary was really expository and informing especially on issues concerning NFT and the NFT marketplace.
There have also been several severe security incidents as a result of the non-fungible token (NFT) surge. For instance, in March 2021 there were over 300% more domain registrations with the names of NFT retailers that had a questionable appearance. You need to have an active cryptocurrency wallet in order to participate in an NFT marketplace.
Because attackers can access your crypto wallet through your marketplace account, this exposes NFT holders to new vulnerabilities.
It is already believed that threat actors have even gained access to the OpenSea Discord server, an NFT marketplace, by impersonating support personnel and tricking targets into revealing account access.
Some attempt to trick NFT holders into transferring money or divulging passwords by using traditional phishing techniques.
I believe that the The NFT industry is still in its infancy, and as a result, both the opportunities and the risks are expanding.
It is beneficial that NFT participants stay informed about security issues if they invest in NFT.
The NFT market is reportedly still in its infancy, but demand growth will ensure its expansion.
The future of NFTs is looking more promising as time goes on, but so are the growing security worries.
From experience, by frequently updating to the most recent version of the software available for your device, you can make sure the NFT software functions without any issues. After the new update, it will fix the faults in the driver software, this will in turn reduce cyberthreats are the result.
For the purpose of sale an purchase of NFTs, those who are new to it as well as those who wish to participate in it should be careful to choose the appropriate wallet in order to protect their NFTS.
This is fundamentally one of the first steps towards addressing the security issue around NFTS in the market place. Looking forward to further research around this topic.
Thank you for your comment @Cashkid18 The opportunities and risks are truly expanding, hence the need for extensive research, and industry collaboration to discover and mitigate risks as well as expound the opportunities. The researchers in this paper push this further with their analysis of the top 8 Marketplaces in the NFT ecosystem, revealing underlying issues in these existing systems. The industry needs more awareness, education, and research by participants, investors, and organizations.
Thank you @Idara_Effiong. The security issues of NFTs will always be a worry. Same way traditional web1/web2 assets currently are. The key considerations should be regulatory intervention and establishment of penalties, punishment, and other deterrents. Other factors like new parties conducting their own research is of course pertinent as well.
Iâm an adherent of legal realism ⌠IMHO possession is 11/10ths of the law in cyberspace as knowledge of private keys is sufficient to make it excludable which is one of the key criteria for property.
regulatory intervention is hard because jurisdictional boundaries are blurred. SEC attempted to claim they can supervise Ethereum because the majority of validators are in US (though using the stake as security seems stretched to me as I view it more of a refundable performance bond)
how can you find, much less punish John/Jane Doe perpetrators? For high value hacks you can trace back to a non-state actor but for individuals, what are you as private netizen going to do? Put up a bounty for rubber-hose crypto-analysis
Fundamentally if the state has no coercive powers, and moral suasion may not work (see Circle mistake when CEO pleaded for traders to return their flawed contract). Here was need to resort to technical means such as contesting the rollup which gives a time window of say 10 days to examine facts and plead case
So I conjecture in absence of state powers (cough DC/EP), technical measures and perhaps new institutions may need to evolve.
