Rob Behnke
April 24th, 2023
Non-fungible tokens (NFTs) track ownership of assets on the blockchain. Whether these are images or real-world assets, some NFTs have become extremely valuable in recent years.
However, this value also makes these NFTs a prime target for cybercriminals. These are some of the top ways in which an NFT can be hacked.
Malicious smart contracts can be used in a variety of different ways. They’re commonly used in attacks exploiting other, vulnerable contracts and may be used in scams.
NFTs can be stolen via both of these means. If an NFT is held in a wallet connected to a malicious contract, there is a chance that a malicious contract may be able to steal it. Also, malicious contracts may be used in scams to trick NFT owners into buying fake NFTs.
Phishing attacks are a common means of stealing NFTs and other crypto assets. A phishing message may be sent over Telegram, Discord, Twitter, email, or other media and contain malicious links, etc. These attacks may try to get a user to:
Visit a malicious website
Install malware
Invest in a scam
If any of these things happen, there is the chance that the attacker may be able to steal a private key (allowing them to steal your NFT) or perform a rug pull from a scam project.
On the blockchain, private keys are used to manage crypto accounts and sign transactions transferring NFTs and other tokens. If an attacker steals your private key, they can send any NFTs that you own directly to their address. For more information on how to keep your private keys safe, read this blog.
On the blockchain, unconfirmed transactions are stored in public mempools to be added to blocks. In a front-running attack, an attacker inspects these mempools and may make competing versions of a pending transaction. By paying to have their transaction processed first, they can frontrun the original owner.
Front-running attacks can impact trades of NFTs. For example, an attacker may frontrun a buy to steal a prime NFT out from under you or take some action to run up the price of a potential buy.
Every NFT has a unique ID that differentiates it from the rest. These IDs may be used when buying or selling these NFTs.
These token IDs may be spoofed by an attacker looking to trick a user into purchasing a fake NFT. The NFT may be designed to be a lookalike of a more valuable NFT with a similar ID, tricking the buyer into buying top dollar.
A blockchain reorganization (reorg) is when one or more previously-confirmed blocks are replaced by a new version under the longest chain rule. This new version may not contain the same set of transactions as the original version.
Like front-running attacks, blockchain reorganization attacks may impact NFT buys and sells. An NFT transaction previously recorded on the blockchain may be removed from it, which could cause a delay in that transaction being re-added to the ledger. Alternatively, a reorg attack could be used to enable front-running of a confirmed transaction.
A Distributed Denial of Service (DDoS) attack is designed to impede the normal operations of a system. On the blockchain, this may involve sending a large volume of spam transactions to the blockchain that take up space and delay the processing of legitimate transactions.
A DDoS attack can’t allow an attacker to steal your NFT. However, it could delay buys and sells until a point where the terms would be less favorable (or allow a frontrun of a buy).
In a man-in-the-middle (MitM) attack, an attacker intercepts communications between a user and a website. If these communications are not encrypted, this could allow the attacker to read and potentially modify that data.
If an attacker can perform a MitM attack on a trusted blockchain site, they may be able to steal a user’s private key. This key could then be used to transfer the user’s NFTs and other tokens to the attacker’s address.
Insider threats are attackers that are trusted members of an organization. Instead of being exploited by an outside attacker via some vulnerability, an organization is attacked by someone who abuses their legitimate access.
For NFTs, the insider risk is primarily that someone can access an NFT owner’s private key. If this is the case, they can steal any NFTs and other tokens held in the user’s wallets.
Supply chain attacks can refer to one of a few different threats. One is that software and systems commonly use third-party components and code that may be vulnerable or malicious. Another is that an organization’s business and trust relationships with other organizations can create vulnerabilities that an attacker can exploit.
Supply chain attacks can pose a threat to NFT owners in various ways. If they use a hardware wallet or wallet software, a supply chain attack against that system may reveal private keys. Alternatively, supply chain exploits against a trusted organization or piece of software may enable a malicious transfer of the user’s NFTs and other tokens.
Most threats to NFT security involve trickery or the theft of private keys. To protect your digital assets, do your own research and ensure that your private keys are stored securely, such as in a hardware wallet.
For more information on how to keep your NFTs safe, read our NFT Security 101 blog.