NFTs have been a hype for the past year. Not gonna lie, I don’t really understand why. I know what they are and how they work, but I don’t get why everyone is so excited about them. When I first heard about NFTs, my first thought was: “Are they secure?”. The answer is always the same “Nothing is 100% secure”. So in this post, we will discuss the security issues around NFTs.
NFT stands for Non-Fungible Token. By definition, these tokens cannot be replaced; each is unique. For the most part, they are part of the Ethereum blockchain. The token is a certificate of ownership. You can get an NFT of your favorite painting (if you have the money for it), or a token representing a football player, a meme, anything you can think of, even an emoji. What’s the kick? You’re the only one who owns it, no one else can claim it. But if you bought a meme, everyone else has access to it and can use it. Same goes for clips of youtube videos. Worse, what if the artist decides to sell multiple digital copies of their artwork. Your investment which was worth X amount could lose its monetary value. Something I found mindblowing is Hacker Fantastic, who put up a denial of service zero-day exploit NFT for sale. You read that right, you can own an exploit (see the tweet below)! However, nothing stops others from finding this vulnerability and exploiting it.
Are these tokens secure, or can you still get scammed? As always, attackers are super creative and opportunistic. So yeah, you can get scammed. Does it mean you should not invest? That’s not what I’m saying. Buying NFTs is an investment like any other, so do your research before jumping in on the trend.
A very common attack is phishing to get your private key and steal your NFTs by sending them to an attacker-controlled wallet. How does it happen? There are multiple techniques to do so. Attackers can get you to copy your key to an attacker-controlled website that looks exactly like a website you commonly use or get you to install malware on your laptop. To avoid this from happening, be careful where you input your private key, it’s private i.e a secret! Also, use good anti-malware and scan your devices often.
MetaMask tweeted about a phishing bot that offers support by asking you to fill a google form and input your secret recovery phrase. MetaMask reminded users to only get support from within the app to avoid phishing.
The applications built on or around blockchains are not always secure. You might trust the blockchain, but how do you know if you can trust distributed platforms? There are many events where users got scammed by a fake crypto app or website. Users buy stuff online all the time, and sometimes, they do not receive what they bought. These scams happen very often with crypto marketplaces, they are called exit scams. The platform gets shut down right after some users make a purchase which they never receive.
What stops scammers from putting non-existent NFTs for sale on their marketplace and then never sending the token? Nothing.
You should also watch out for replica stores. These marketplaces look very similar to known NFT marketplaces, but you will not receive your token. The scammers will get your cryptos and steal sensitive info.
Someone bought a fake Banksy NFT for 336K GBP (BBC’s article). A fake auction link was posted on the original website banksy.co.uk. He got lucky, the hacker sent back all the money except for the transaction fee of 5000 GBP. Nothing is stopping attackers from claiming an artwork as theirs and selling you a fake certificate of ownership. This certificate is of no value, it’s the same as owning a fake Louis Vuitton bag. This happened with Derek Laufman’s artworks’ (The Verge’s article), someone impersonated him on the website Rarible and even got themselves certified. Before the account was deleted, a user had already purchased an NFT of the artist’s work.
Lesson: be sure that the NFT you are buying is sold by the real artist, company, etc. You can do so by contacting them directly. In the case of the fake Banksy NFT, there are claims that the certified website was hacked. I do not have any recommendation for individuals in this scenario, this should have been caught before the sale happened. Unfortunately, 100% security can’t be guaranteed. However, it’s Banksy we are talking about, so might have been another of his stunts. We’ll just have to wait and see.
Some people have experienced the vanishment of their NFTs. After logging into their account, they were greeted by a 404 message stating the file they are trying to access cannot be found. WTH! How can this happen when NFTs are logged into the Ethereum blockchain, which is immutable and irreversible? The artwork you purchase is not actually logged into the blockchain, it’s stored somewhere else (could be anywhere). What you’re actually buying is a reference to this file. Basically, you invest in a certificate containing the URL address of the artwork. This vice article cites an interesting analogy, it compares NFT platforms to art galleries’ windows. The art gallery chooses when they want to open or close their windows. Why would they close their windows, though? Apparently, there are a lot of copyright issues, not surprising since artists see their work being stolen often. There might be many other reasons too. In this case, your file still exists, but you cannot display it anymore. Worse, if the file is removed at the source, there is nothing you can do to recover it, the artwork you bought does not exist anymore.
Scammers have asked crypto enthusiasts to send them some crypto in exchange for more crypto. Have you heard of the rarible scam? People received communication of a rarible giveaway. To participate, they had to send between 500 and 25,000 RARI. They would then receive five times the amount they sent. As you probably guessed, they did not receive anything. Of course, not all giveaways are fake. It’s common to give out free stuff to potential customers. Just be careful. I personally would not send money to get more money. If it’s free, then just give it to me for FREE.
My goal is definitely not to scare you away. I think NFTs are cool even though I don’t grasp all the excitement. It allows artists, especially those working digitally, to get exposure, sell their work and have full control over it. I’m just pointing out that there are security flaws that you should be aware of before jumping in and buying the first NFT you come across. As I said before, you are making an investment, so do your research.
NFTs have been a hype for the previous 12 months. Not gonna lie, I don’t actually perceive why. I do know what they’re and the way they work, however I don’t get why everyone seems to be so enthusiastic about them. Once I first heard about NFTs, my first thought was: “Are they safe?”. The reply is at all times the identical “Nothing is 100% safe”. So on this submit, we’ll focus on the safety points round NFTs.
NFT stands for Non-Fungible Token. By definition, these tokens can’t be changed; every is exclusive. For essentially the most half, they’re a part of the Ethereum blockchain. The token is a certificates of possession. You will get an NFT of your favourite portray (when you’ve got the cash for it), or a token representing a soccer participant, a meme, something you may consider, even an emoji. What’s the kick? You’re the one one who owns it, nobody else can declare it. However in case you purchased a meme, everybody else has entry to it and may use it. Similar goes for clips of youtube movies. Worse, what if the artist decides to promote a number of digital copies of their art work. Your funding which was value X quantity may lose its financial worth. One thing I discovered mindblowing is Hacker Incredible, who put up a denial of service zero-day exploit NFT on the market. You learn that proper, you may personal an exploit (see the tweet beneath)! Nevertheless, nothing stops others from discovering this vulnerability and exploiting it.
Are these tokens safe, or can you continue to get scammed? As at all times, attackers are tremendous artistic and opportunistic. So yeah, you will get scammed. Does it imply you shouldn’t make investments? That’s not what I’m saying. Shopping for NFTs is an funding like another, so do your analysis earlier than leaping in on the pattern.
A quite common assault is phishing to get your personal key and steal your NFTs by sending them to an attacker-controlled pockets. How does it occur? There are a number of methods to take action. Attackers can get you to repeat your key to an attacker-controlled web site that appears precisely like a web site you generally use or get you to put in malware in your laptop computer. To keep away from this from occurring, watch out the place you enter your personal key, it’s personal i.e a secret! Additionally, use good anti-malware and scan your gadgets typically.
MetaMask tweeted a couple of phishing bot that gives help by asking you to fill a google type and enter your secret restoration phrase. MetaMask reminded customers to solely get help from inside the app to keep away from phishing.
The purposes constructed on or round blockchains will not be at all times safe. You may belief the blockchain, however how have you learnt in case you can belief distributed platforms? There are numerous occasions the place customers acquired scammed by a pretend crypto app or web site. Customers purchase stuff on-line on a regular basis, and typically, they don’t obtain what they purchased. These scams occur fairly often with crypto marketplaces, they’re referred to as exit scams. The platform will get shut down proper after some customers make a purchase order which they by no means obtain.
What stops scammers from placing non-existent NFTs on the market on their market after which by no means sending the token? Nothing.
You must also be careful for reproduction shops. These marketplaces look similar to identified NFT marketplaces, however you’ll not obtain your token. The scammers will get your cryptos and steal delicate information.
Somebody purchased a pretend Banksy NFT for 336K GBP (BBC’s article). A pretend public sale hyperlink was posted on the unique web site banksy.co.uk. He acquired fortunate, the hacker despatched again all the cash aside from the transaction payment of 5000 GBP. Nothing is stopping attackers from claiming an art work as theirs and promoting you a pretend certificates of possession. This certificates is of no worth, it’s the identical as proudly owning a pretend Louis Vuitton bag. This occurred with Derek Laufman’s artworks’ (The Verge’s article), somebody impersonated him on the web site Rarible and even acquired themselves licensed. Earlier than the account was deleted, a consumer had already bought an NFT of the artist’s work.
Lesson: make sure that the NFT you might be shopping for is offered by the true artist, firm, and many others. You are able to do so by contacting them straight. Within the case of the pretend Banksy NFT, there are claims that the licensed web site was hacked. I would not have any advice for people on this state of affairs, this could have been caught earlier than the sale occurred. Sadly, 100% safety can’t be assured. Nevertheless, it’s Banksy we’re speaking about, so might need been one other of his stunts. We’ll simply have to attend and see.
Some folks have skilled the vanishment of their NFTs. After logging into their account, they have been greeted by a 404 message stating the file they’re making an attempt to entry can’t be discovered. WTH! How can this occur when NFTs are logged into the Ethereum blockchain, which is immutable and irreversible? The art work you buy isn’t really logged into the blockchain, it’s saved some place else (might be wherever). What you’re really shopping for is a reference to this file. Principally, you put money into a certificates containing the URL tackle of the art work. This vice article cites an fascinating analogy, it compares NFT platforms to artwork galleries’ home windows. The artwork gallery chooses after they need to open or shut their home windows. Why would they shut their home windows, although? Apparently, there are lots of copyright points, not shocking since artists see their work being stolen typically. There may be many different causes too. On this case, your file nonetheless exists, however you can not show it anymore. Worse, if the file is eliminated on the supply, there may be nothing you are able to do to get well it, the art work you acquire doesn’t exist anymore.
Scammers have requested crypto fans to ship them some crypto in change for extra crypto. Have you ever heard of the rarible rip-off? Individuals obtained communication of a rarible giveaway. To take part, they needed to ship between 500 and 25,000 RARI. They’d then obtain 5 instances the quantity they despatched. As you in all probability guessed, they didn’t obtain something. After all, not all giveaways are pretend. It’s frequent to present out free stuff to potential clients. Simply watch out. I personally wouldn’t ship cash to get extra money. If it’s free, then simply give it to me for FREE.
My purpose is certainly to not scare you away. I believe NFTs are cool although I don’t grasp all the thrill. It permits artists, particularly these working digitally, to get publicity, promote their work and have full management over it. I’m simply declaring that there are safety flaws that you ought to be conscious of earlier than leaping in and shopping for the primary NFT you come throughout. As I mentioned earlier than, you make an funding, so do your analysis.