Keep Your NFT Business Safe. Fixing Weak Spots in NFT Marketplaces
The NFT sector has been continuing to ride its tidal wave of popularity, despite the overall recent downturn in the DeFi market. The NFT market is expected to grow at a compound annual growth rate (CAGR) of 52.5% from now to 2025, with new players joining all the time. That said, now is the best time to get your NFT marketplace off the ground. But if you want your business to grow without being stopped, you should first make sure it is safe. Here are some weak spots in the NFT market that you should be aware of.
If you’re looking to create your own NFT marketplace, now’s a great time!
The NFT market is still in its infancy, and there’s huge potential for growth. NFTs offer a level of uniqueness that just isn’t there with fiat currencies, and this trait can be used in a number of ways across different industries. For example, in the gaming industry, NFTs can be used to represent in-game items, while in the automotive sector, they can represent car ownership. New uses are constantly cropping up, and businesses are exploring new ways in which to use NFTs to represent ownership of their products or services.
So if you’re looking to enter the scene with an NFT marketplace of your own, it’s the best time to do it! Not only are NFTs hugely popular (and likely to be even more so), but they’re relatively hands-off and risk-free. Also, if you start a marketplace of your own, you don’t have to be involved in the trading yourself. Plus, all your transactions are recorded on the blockchain, which means that you have inbuilt security. If you haven’t yet read our manual on kick-starting your NFT marketplace, take a look here.
The key NFT marketplace vulnerabilities to watch out for
In an NFT marketplace, all your transactions are recorded on the blockchain, which means that you have an inbuilt layer of security. But this doesn't mean that NFTs are always vulnerable to security problems. In fact, there are some key security flaws in this industry that you should know about to maintain the growth of your NFT business and be seen by the users as the safest place to put their funds. Let’s take a look at what these are.
OpenSea, one of the largest NFT marketplaces, has been the victim of several cyber attacks over the last couple of years, including two high profile one which were linked to phishing. One from January 2022, involved scammers who tricked fans of CryptoBatz (Ozzy Osbourne’s NFT project). They created a fake Discord server. User reading previously written tweets from CryptoBatz and Ozzy Osbourne were unwittingly redirecting users to the fake server where they were asked to verify their assets and were ultimately taken to a phishing site.
Another phishing attack occurred in February and involved unknown actors approaching individual users and asking them to sign a malicious payload with their digital wallet. OpenSea initially reported that 32 accounts were compromised and the attacker is thought to have absconded with $1.7 million in Ethereum after selling off the NFTs.
Smart contract vulnerabilities
Smart contracts are one of the key features of not just any NFT marketplace but any blockchain product. They are self-executing contracts between buyers and sellers and their terms are written directly into lines of code. In the context of an NFT marketplace, they help process transactions and manage the transfer of ownership.
If smart contracts have been effectively set up and have passed their audit checks, it is theoretically very difficult for attackers to tamper with them. But if there are any security issues that remain unaddressed, smart contracts can be relatively easily exploited by hackers.
A good example are Larva labs which were the victims of an exploit in March 2021. An attacker found a way to mint a rare NFT from its “Meebits” collection, by creating a contact that minted multiple tokens. His attack was based on reapplying his Meebit mints until the contract gave him one he wanted. He wound up spending $20,000 in gas fees but was successful in receiving and selling Meebit #16647 for more than $700,000.
If you would like to read more about smart contract vulnerabilities and how to avoid them, you can do so here.
Vulnerabilities linked to centralized or hybrid marketplaces
While the majority of NFT marketplaces are decentralized, there are some that operate using a centralized model. Such a model operates using a central authority which is in control of the data and functions of the platform. In the context of an NFT marketplace, this unfortunately carries several major risks, including data tampering, censoring and even a potential loss of the NFTs that you have created or collected.
Nifty is an example of a centralized marketplace that has been subject to a number of attacks. One of the most notable ones was in March 2021, when users claimed that hackers stole digital artwork costing thousands of dollars. Some users who were hacked also claimed that credit cards on their file were used to purchase additional NFTs, also costing thousands of dollars, which were then transferred away to a hacker’s account. Nifty confirmed that some accounts without two factor authentication had been hacked.
Some of the key vulnerabilities of centralized marketplaces result from the fact that they often store all the private keys of digital assets on their own platforms. This means that during an attack, hackers are able to make off with thousands of tokens in a short space of time.
In addition, some users neglect additional security measures - they don’t use two factor authentication, their passwords are too weak and they might click on untrustworthy links.
There have been many impersonations of artists by scammers in the NFT universe. Perhaps the most well known is Banksy scam in which a hacker conned a British art collector into buying a fake Banksy NFT advertised through the artist’s official website, charging him $336,00 for it. But there are other artists who have also fallen victim to scams, including Derek Laufman, whose artwork was being sold by a fake account using his name.
The list of such impersonation scams seems to be ever growing, which has led many artists to act by publicly denouncing fake profiles for selling their art. Curiously, the Banksy scammer ended up returning all of the money that he’d stolen, except for the transaction fee.
Rug pull scams
A rug pull involves the sudden removal of liquidity from a decentralized exchange liquidity pool. It is a malicious act by the creators of a project used to defraud token holders of their hard-earned funds. In the context of NFT marketplaces, the scammers will do their utmost to create hype around a given product, build up investment around it and then abandon it without notice. But they only do this before they have fully defrauded the investors, withdrawn all the funds from the NFT wallet, and deleted their profiles.
A famous case of this is the token inspired by The Squid Game, which suddenly appeared and rapidly rose in value, reaching $2,800 before suddenly and inexplicably vanishing. It is believed that the scammers made off with $3.3 million.
If you haven’t already, you might want to read our guide featuring top tips on how to protect yourself against rug pulls.
Other NFT fraud
Hackers also often use more ‘traditional’ scams within the NFT marketplace context. These might include sending users emails, pretending they are from Coinbase and informing them that there has been suspicious activity on their account. They tell them that they need to act on it by providing their username and password, and they then use this information to access their accounts on the NFT platform.
Another common method is sending users malicious NFTs which has happened several times on the OpenSea marketplace. In Autumn 2021, there was a correlation found between users who complained on social media about losing their crypto, having recently received gifted NFTs.
There have also been examples of scammers who organize NFT airdrops, demanding transaction fee costs from users - but it has been noted that the real amount is often much higher than it is in reality.
The best way to protect your marketplace from NFT Vulnerabilities
Build security into your user journeys
- As much a possible, try to build security into your user experience. At various steps of the journey, you should ask your users to:
- Keep their keys private and to never share their wallet information with anyone. Both their keys and their recovery codes should be totally confidential.
- Never to screen-share while using their crypto wallet.
- Create strong passwords and use two factor authentication. Using facial recognition or fingerprints makes identity theft much more difficult.
- Use NFT hardware wallets provided by official manufacturers only.
- Review NFT transaction history and be wary of NFTs which display several transactions in one day.
Keep your platform decentralized
As outlined above, there are a number of additional security issues that go hand in hand with centralized NFT marketplaces, which is why it’s best to go for a decentralized version. In doing so, you won’t be putting users’ keys and digital assets at risk.
Make sure that your smart contracts are audited
It definitely makes sense to audit your smart contracts before you launch your marketplace - and make sure that you do this via a trusted third party provider. They will be able to check your code and uncover potential threats or security flaws. You’ll be able to rest assured that your smart contracts are secure and that everything is working as it should be.
Consider security from the outset and reap the rewards later!
Build security into your user experience from the outset and you’ll make sure that you don’t have to spend time and money on fixing the problem further down the line. Ultimately, it not only comes down to protecting your users and fighting fraud, but also about building your own reputation as a trusted platform.
Looking for an expert team to help you create an NFT marketplace?
Get in touch with our Head of Sales, Dennis Van Der Vecht, for a free blockchain consultation at firstname.lastname@example.org or +48 793 200 141.