Exploitation in the NFT World is Real But Are They Preventable?
To old investors in the digital currency ecosystem, exposure to various forms of scams, frauds, and exploitation will not come as something new, as they must have learned over time that the digital currency ecosystem is filled with such negative occurrences.
New investors, particularly those who started with Non-Fungible Tokens (NFTs), may not understand the growing rate of exploitation bedevilling the ecosystem at the moment.
According to data from blockchain security firm, Slowmist, the first four months of 2022 saw as much as $52 million in losses in NFT-related hacks, a figure that surmounts the $7 million recorded throughout the whole of 2021.
While the bulk of data available to firms like Slowmist is those featuring well-publicized NFT projects, it is undoubtedly true that many more NFT holders are experiencing personalized exploitations on a daily basis.
To many following big-name projects like Bored Ape Yacht Club (BAYC), it will be recalled that the prestigious NFT brand has faced at least two different exploitations this year alone, the latest leading to the loss of over 200 ETH from Bored Ape owners. That the exploitation in the NFT world is growing is no longer debatable. CryptoMarketsBeat spoke with several industry veterans on the worrisome trend to know its root causes and possible ways investors can protect themselves.
NFTs Are an Attractive Ecosystem for Exploits to Thrive
Hackers and cybercriminals often follow anywhere there is money. While exploitation generally takes many forms, all of them are successful on the premise that there is a big financial catch. The emergence of NFTs came with the underlying goal of extending the utilities of Ethereum, and by extension, blockchain technology.
Nowadays, it is not uncommon to connect NFTs to massive financial valuation, and some projects like CryptoPunks, Bored Apes, and Moonbirds amongst others are reserved for investors or collectors with deep pockets.
In the image above, the CoinMarketCap aggregator, the top collections, and the floor-price column show projects like Bored Ape can only be snapped up by investors with more than 88.5 ETH (approximately $137,638.74 at the time of writing). Snapping up one Bored Ape through an exploit in any form will come off as a big payday for the exploiters.
“Many NFT projects emerged on the wave of hype when piles of money were injected into this industry,” said Dyma Budorin, CEO of Hacken, a cybersecurity and audit firm. Budorin surmised that the bulk of the attacks on blockchain and NFT protocols could be linked to the misguided desire to follow the money in space.
With money being a very good attraction in space, hackers have come to understand that they can easily exploit protocols because many do not pay due diligence to their security infrastructure.
“Most common hack scenarios involve social engineering and the usage of various scripts to steal private keys or other credentials to access the critical infrastructure point,” said Andrey Pelipenko, CTO of Roach Racing Club, “On top of that, hackers seek vulnerabilities in the smart contracts that accumulate funds, so using proprietary smart contract solutions that are not tested adequately, especially those coming from inexperienced developers, is a poor solution” which consistently predispose NFT projects to attacks.
What is Bad for the Goose is also Bad for the Gander
Suppose the big NFT projects are the Geese in this context and the Ganders’ smaller ones. Experts agree on the fact that all these projects are collectively victims of these scams.
“I bet you’ve seen news headlines about NFT hacks containing a name of a big project, such as OpenSea or Bored Ape Yacht Club, just because these projects are the most famous ones and accumulate the greatest volume of assets. Small projects and individual NFT creators and buyers also fall victim to hacks,” Budorin added.
A new perspective was brought into the discourse by Dr. Dmitry Mikhailov, CSO of Farcana Gaming Metaverse, who noted that attacks are necessarily not targeted at individual collectors or NFT projects alone. He said users of big marketplaces like OpenSea are also highly susceptible to various forms of cyber attacks.
While not referring to one particular platform, Dmitry believes “such marketplaces are often developed too fast to provide the proper level of cyber defence. Vulnerabilities are caused by insufficient attention to security issues: lack of two-factor authentication, lack of readiness for phishing, and DDoS attacks.”
As it is now obvious, irrespective of the form that projects take, they can easily be exploited if the appropriate safeguards are not put in place.
Curbing Growing NFT Exploitations
Despite the fact that the broader NFT world is still being unravelled, there are a number of ways that the experts we spoke to believe can be adopted to wade off the activities of cybercriminals across the board.
While the first of the major recommendations in accordance with Dmitry is to educate NFT investors on the major causes or reasons why they fall prey to attacks, Budorin advocates close “cooperation with trusted cybersecurity vendors,” a move that will enable projects “to undergo smart contract audits and consider running a public bug bounty program.”
These recommendations have been vetted by other experts and are generally known to prevent crucial hacks in the short history of the NFT ecosystem. In all, Pelipenko advocates that investors should always do their own due diligence before injecting funds into any project, no matter the hype.
“We always recommend Doing Your Own Research (DYOR) before taking any actions: it’s a must-do in the crypto space. It is important to understand that, unlike the non-fungibles from the GameFi sector, most NFTs are just collectables without any specific utility. NFTs are risky assets, yet, most people still tend to fall for hyped projects without doing any deep research first,” he said.
The Light at the End of the Tunnel
Along with the broader digital currency ecosystem, the NFT space has a lot of bright lights at the end of the tunnel as investors are becoming more vigilant, and developers are doing their due diligence to ensure protocols are as secure as possible before launch.
Aside from the bearish correction in the industry, Venture Capital firms are injecting liquidity into security protocols like CertiK to bootstrap the security outfits tasked with safeguarding the ecosystem of tomorrow.
From current trends, scams may persist, but the growing awareness will largely tame their spread in the near future.
Image source: Shutterstock