Rob Behnke
July 4th, 2022
Non-fungible tokens (NFTs) have become one of the biggest and most popular applications of the blockchain. With an NFT, it’s possible to track ownership of an asset — either digital or physical — on the blockchain.
Today, one of the most common uses of NFTs is to track ownership of digital art. However, buying, selling, and trading NFTs does come with significant security concerns.
Interacting with NFTs carries many of the same security risks as other tokens. For example, if the private key for a blockchain account holding NFTs is exposed, then the assets stored in that account may be compromised. Here are some of the biggest security risks associated with NFTs.
NFTs have value because they track ownership of a particular asset. When buying an NFT, it’s important to validate that the creator/owner of the NFT actually owns the rights to the asset.
Anyone can create an NFT. Creating an NFT just requires deploying a token contract to the blockchain, and multiple tools exist to streamline the process. In theory, the NFT creator is someone who has the right to assign ownership of the asset tracked by the NFT. In practice, fake, fraudulent, and scam NFTs are a common problem.
Validating the legitimacy of an NFT can be difficult because it requires identifying the real owner and verifying that the NFT actually tracks ownership of the asset. Since this is normally not feasible, NFT owners should do their own research and see if a project looks legit before buying. Accidentally buying a fake or scam NFT could result in losing an investment if the token’s value plummets.
The popularity and value of NFTs have made them a useful tool and target for phishing attacks. Attackers may send phishing emails, tweets, etc. claiming to be from reputable projects that offer a free NFT or warn of an issue with one owned by an individual. Clicking on the link in the message would lead to a site that steals the user’s credentials or modifies transactions to send NFTs and other tokens to the attacker.
Alternatively, a prospective buyer or seller of an NFT may insist on using a particular site for the transfer that isn’t one of the major NFT marketplaces like OpenSea. This fake NFT site may also be designed to steal from the prospective buyer/seller.
NFT phishing attacks and best practices are the same in the NFT space as other phishing attacks. Avoiding clicking on untrusted links, using non-standard NFT trading websites, or opening suspicious NFTs can help you keep your NFTs safe.
Most NFTs today are designed to track ownership of digital images. Embedded in the NFT is a URL or an IPFS hash that points to the image in question. Following that link makes it possible to view the NFT in question.
The link in an NFT may point to a phishing site, and image files can contain malicious code that can be used to steal sensitive information or otherwise harm computers that open them.
Opening a suspicious airdropped NFT may result in a loss of all your tokens and NFTs, especially if the site claims that it is necessary to connect a wallet to view the image.
NFT security largely boils down to the security of your private keys or the credentials that can be used to access those keys (such as login credentials for OpenSea). Engaging with untrusted NFTs, websites, etc. can result in keys being compromised, which would allow an attacker to drain NFTs and other tokens from your blockchain wallet.
As the number and value of NFTs continue to grow, NFT security becomes increasingly important. As always, do your own research before buying an NFT, and check out the NFT contract’s security audit if one exists.