Hackers eye on frequent theft of assets and be alert to NFT security risks

“Alarm! Alarm! Alarm!”, a mobile phone was lying on the bedside table, screaming.

Michael J (hereinafter referred to as MJ) was awakened from a deep sleep. He picked up his mobile phone and saw that his mobile interface was flooded with product alerts from the encrypted art platform Nifty Gateway and fraud alerts from various credit card companies.

“Broken!” MJ wakes up instantly, sits up, and quickly opens Nifty Gateway to prepare to transfer assets. Unfortunately, it is too late. All his NFT collections are emptied. The hacker even bought value with MJ’s digital wallet. The new NFT of $10,000 was transferred.

Within a few minutes, MJ’s NFT collection worth hundreds of thousands of dollars was wiped out and could never be retrieved.

Nifty Gateway is an encrypted art trading platform registered in the United States.

Some people say, in this case, can’t we call Nifty Gateway to defend our rights? NFT digital works are not anchored to the property owner and cannot be changed? Is there no way? MJ thought so too and found Nifty Gateway.

“Since all transactions including transfers are recorded, I know the 2 specific accounts and purchaser information to which my stolen NFT was sent.” MJ provided this to Nifty Gateway. At this time, the hacker looked for purchases on the Discord channel. Family.

In response, Nifty Gateway issued a statement saying that it is analyzing the MJ incident. “Preliminary assessments indicate that the impact of this incident is limited. The unaffected accounts have enabled 2FA (Two-factor-authentication) and can gain access through valid account credentials.”

In the wave of overseas NFT speculation, in addition to price bubbles, participants will also face asset security risks.

Facts have proved that with the rapid influx of NFT and capital, cyber criminals are also turning their attention to the field of NFT. In recent months, the NFT market has been booming, and the theft of digital art assets has also occurred more and more frequently.

Can’t the powerful meta-universe protect a digital picture? To this end, “Lianxin” interviewed a number of front-line technical personnel, trying to analyze the underlying technical logic, hidden issues, industry views, and preventive measures behind the theft of NFT digital assets.

Frequent incidents of NFT theft

In April 2021, hacker Posen downloaded and forged Beeple’s “Every Day: The First 5000 Days” file from Christie’s website, and then minted another coin through the Beeple wallet and listed it for sale on an NFT platform.

After doing all this, Posen published an article entitled “Why I Do This” on his website NFTheft, bluntly: “Talented and experienced creators cannot provide any necessary guarantees for their works. “, “There is no right or protection to prevent their artworks from being stolen or misused.”

This is a performance art by Hacker Posen, but what he said is more attractive than his behavior.

Industry insiders told Lianxin that a typical NFT is often divided into two separate parts, the smart contract or ERC-721 standard specification stored on the chain, and the digital artwork itself. At present, the main mode of accessing artworks is to use URLs (network addresses) instead of directly linking digital works.

Kelani Nichole, who is engaged in the business of digital art, has publicly expressed doubts about ERC-721, saying that this model is dangerous, and he bluntly said “If one day the server of the NFT platform goes down, Or their IPFS (Distributed File Storage System, a common protective measure) node is down, and the content you spend a lot of money will be inaccessible.” 

In fact, even if the user adopts IPFS for maintenance, there are many factors that can also cause the URL to be damaged, so that platforms like Checkmynft.com (users can insert the contract address and token ID to check the URL status check) emerge as the times require .

In March of this year, Checkmynft discovered that the NFTs of Grimes, DeadMau5, and Steve Aoki who had already used IPFS storage failed to load, and eventually the files were leaked. Although the outflow of documents did not have much impact on the market, it also increased people’s concerns about the way NFTs are stored.

That being the case, why not just choose, simple and direct digital artwork directly on the chain?

Ye Xin, CEO of Aibei Link, told the reporter of “Lianxin”: “NFT chooses to exist based on the form of smart contract URL pointing or whether it is directly on the chain as an independent work. It is essentially a cost issue.”

Aibei Linkdong is a security product and technology service company in the blockchain field. Its business focuses on digital identities, digital asset certificates, asset tracking services, etc.

Two kinds of storage methods is a simple calculation cost, currently, the Ethernet Square storage costs are 256bit = 32 bytes = 20 K gas, assuming that the current gasPrice GWEI 100, the ETH price of $ 3000, and that the cost is $ 20K gas 6 .

Common URLs are within 64 bytes, so the storage cost of a URL in the Ethereum network under normal circumstances is about $12. Usually the NFT contract only saves a URL prefix and uses different ids to splice a complete URL.

But if it is independent on the chain, taking Cryptopunk as an example, a picture needs about 3000 bytes, which is 2000 K gas, about 600 US dollars, and its cost will be 50 times the cost of a normal URL on the chain, 10,000 pictures That’s 6 million U.S. dollars.

If you encounter Ethereum network congestion again, the cost of independent gasPrice on the chain will be beyond imagination.

Therefore, in terms of cost, URL is currently the most cost-effective choice although it has loopholes.

So, how do hackers step by step from potential technical vulnerabilities to truly stealing others’ NFT assets?

The black hand who passed through your account

According to chain professionals, although blockchain accounts are claimed to be immutable, smart contracts are easier to steal and forge than many people think. Moreover, since NFT transactions may bring huge profits, hackers have the motivation to attack further.

Ye Xin told Lianxin that the main reason for the frequent asset thefts in the NFT market in recent years is the significant increase in the value and liquidity of NFT assets. In fact, there have been many incidents of personal wallet theft, but in the past we talked about cryptocurrency, but now we talk about NFT. Hackers will naturally transfer the NFT to cash out after grasping the victim’s private key.

This is a paradox: NFT is a tamper-proof electronic ledger that authenticates and defines the original digital art, and can also provide artists with permanent transaction sharing; people believe that the blockchain technology that makes NFTs will bring The tangible benefits have triggered the “NFT rush” in the first half of 2021 and the gradual increase in prices; however, the technology foundation used by this $2.4 billion emerging industry is poor and cannot fulfill its promises. In a short time No cure can be found within.

In this case, perhaps trying to understand the way hackers steal NFTs can reduce some victims to some extent.

According to “Lianxin”, the user’s NFT digital assets were stolen because the private key of their wallet was leaked or the user authorized illegal transfer transactions without their knowledge. To achieve this, the user’s “cooperation” is indispensable. Simply put, the user has authorized without knowing it. There may be three situations as follows: 

1. The user fails to take good care of the private key, such as storing the private key information in cloud storage such as mailboxes, or mistakenly sending it to communication software or mistakenly posting to a phishing website, etc., which is the so-called “private key touches the net”. For example, in the absence of 2FA (two-factor authentication), hackers can break the weak password of the mailbox and intercept the private key;

2. The user incorrectly authorizes. Hackers can use the establishment of fake websites, fake wallets, or build fake projects to defraud the user for authorization, and then use the approve/transferFrom features in the smart contract to steal assets without the user’s perception. In the NFT scenario, because assets may contain pictures or videos, there is also an attack surface that is different from currency. Hackers may trigger seemingly legitimate authorization pop-ups from malicious pictures through loopholes in trading websites to trick users into clicking;

3. The private key storage device is hacked, which is a more advanced way to steal the private key. Any networked device may be installed by hackers through phishing emails, word files and other methods. If the user stores the private key in plain text or the encryption password is too simple, the hacker may steal the private key remotely. Therefore, the device that stores the private key needs to be instant. Update security patches and install anti-virus software to scan regularly. It is safer to operate private keys with cold wallets.

In order to prevent such incidents from happening, in addition to knowing the tactics used by hackers and raising daily vigilance, it is also very necessary to have clear rights and responsibilities between different platforms. However, NFT is in the embryonic stage, and the existing system and people’s consensus is not yet perfect. It takes time to build a complete system.

However, in Ye Xin’s view, for individual users’ NFT thefts caused by the theft or phishing of their private keys, at present, the main responsibility lies with the users themselves. This is the main feature of the decentralized crypto market.

Wallet parties, trading platforms, and auction platforms are obliged to fortify layer by layer during product use. On the basis of their own security guarantees, they should also do a good job in education on user security awareness and popularization of phishing and fraud traps.

Remedy, everything is new

The system is not sound enough, the industry is working hard, and there are problems with NFT storage methods that need to be solved. Many blockchain startups hope to help make up for the shortcomings and make contributions here.

For example, Nithin Palavalli, the CEO and founder of the blockchain service and security company RubiX, believes that the current storage options are not enough, so they invented a new mechanism-through this model Verifying transactions on the blockchain allows users to store large amounts of data on the chain, helping assets protect against hacker attacks.

For those users who value the files in NFT, the loss of files can be very frustrating.

In response, RubiX worked with artists to use biometrics to access and create a more secure file. It also cooperated with the Microsoft Intelligent Security Association to develop several decentralized security protocols as blocks. As part of chain security products, these solutions may make the NFT market work better.

In addition, the intellectual property lawyer Jeff Gluck (Jeff Gluck) has always been concerned about smart contracts that are closely related to the rights of artists. He said that because there is no centralized standard for casting, artists will eventually be tricked into reselling shares, so he created a CXIP laboratory that provides smart contracts that can translate any platform protocol.

Storage options, file loss, smart contracts, everything seems to be what Ye Xin said, loopholes are temporary and need to be circumvented a little bit as the industry progresses. Just as there were a large number of attack incidents in the early DeFi protocol, as the general security awareness of project developers increased, the attack incidents gradually decreased, and the NFT market will also go through such a process.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/hackers-eye-on-frequent-theft-of-assets-and-be-alert-to-nft-security-risks/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply