NFTs are only as secure as their creator makes them. As with any emerging technology, taking shortcuts in the design stages can have disastrous consequences down the line.
Kraken Security Labs scanned thousands of smart contracts on the Ethereum blockchain to take advantage of vulnerabilities left open in certain non-fungible token (NFT) contracts.
Below, the team details how we were able to take over two vulnerable NFTs with little effort and also show how to protect yourself against this kind of insecure NFT.
How an NFT’s media & metadata are stored
Contrary to popular belief, not all NFT media (or metadata) is stored on a blockchain. In many cases — such as in the ERC-721 contracts we’re about to see — the blockchain merely stores a pointer to where the media is kept, like a bank vault that contains a piece of paper with the address of where a piece of art is stored.
Regardless of your bank’s security, that piece of paper isn’t going to be of much use if someone goes to the address and replaces the art.
The blockchain merely stores a link to the media.
Here’s where a malicious actor takes interest. What website or host is holding the media? Who’s paying them to store it? How long is that link going to be alive? And can the on-chain pointer be updated?
Kraken Security Labs scanned thousands of NFTs for expired links (expired websites or custom URLs from hosting services). Surprisingly, this scan turned up a large number of vulnerable tokens.
Taking over NFT metadata hosted on GitHub