Is it technological innovation or a wolf in sheep’s clothing? The security concerns behind the booming NFT market

2021 is destined to be a year worthy of being recorded in the history of the currency circle. In the post-epidemic era, governments of various countries have introduced a series of macro-control policies in response to the economic recession. the currency circle, from Bitcoin to Ethernet Square to pet coins, from DeFi to NFT to the metaverse, a new IP ignited the market enthusiasm, Xinxinbaopeng. The development of the blockchain has reached a new height. Among the stars, NFT is definitely the brightest star. Technology empowers business, technology empowers art. Uniswap sold a pair of socks for US$160,000, Twitter founder’s five words sold for US$2.5 million, and encryption artist Beeple received a bid of US$9.75 million in Christie’s NFT auction… Overnight, NFT became popular all over the Internet. NFT, a technology born out of the blockchain, can be widely used in the token economy due to its non-homogeneous characteristics. At a new historical starting point, it will promote the protection of intellectual property rights and accelerate the liquidity of assets. Reshape the digitalization of assets and rebuild the digital art system. The era of “NFT for everything” seems to have arrived.

However, the emergence and development of new things is not smooth sailing, but the dialectical unity of forward and tortuous nature. NFT is the same. From the establishment of the standard to the market, it is a process full of contradictions. There has been no good solution to the centralized security problem behind NFT: how to determine the binding relationship from the token on the chain to the assets off the chain, and how to ensure the immutability of the assets off the chain have always been people’s attention. In this article, we will discuss the centralized security issues behind these NFTs.

What is NFT

A non-fungible token (NFT) is a unit of data stored on a digital ledger, called a blockchain, that certifies a digital asset to be unique and therefore not interchangeable. NFTs can be used to represent items such as photos, videos, audio, and other types of digital files. Access to any copy of the original file, however, is not restricted to the buyer of the NFT. While copies of these digital items are available for anyone to obtain, NFTs are tracked on blockchains to provide the owner with a proof of ownership that is separate from copyright.

According to the above definition from Wikipedia: NFT (non-fungible token) is a data unit called blockchain (digital ledger), each token can represent a unique Digital data. Because they are not interchangeable, non-homogeneous tokens can represent digital files, such as paintings, sounds, films, in-game items, or other forms of creative works. Homogeneous tokens, namely FT (Fungible Token), can replace each other and can be close to infinitely split tokens. For example, there is no difference in essence between a Bitcoin in your hand and a Bitcoin in my hand. This is homogenization and homogenization. Non-homogeneous tokens, namely NFTs, are unique and inseparable tokens, such as encrypted cats, tokenized digital tickets, etc. It is equivalent to a numbered renminbi. There will be no two renminbi with the same number, two cats with the same number, and two NFTs with exactly the same number.

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 1. FT and NFT

Regarding NFT, it is simply the tokenization of asset ownership on the blockchain. Take the purchase of a piece of art as an example. When a collector buys a piece of art, they will sign a contract to transfer ownership, and then receive a certificate of authenticity to prove that they own the original. NFT works in a similar way, creating a non-replicable digital token in the blockchain (hence “non-homogenization”), and will automatically track the entire ownership history and sales price of the underlying file. Any potential buyer of an NFT asset will see exactly when it was created, when it was bought and sold, at what price, and by whom. Therefore, not only is the entire process of generating formal ownership decentralized, but all transaction history is also transparent, which makes the valuation process smoother. And from digital goods (such as items that exist in the virtual world) to physical assets (such as clothing or real estate) can be expressed in NFT. In the next few years, we will see NFT used in some brand new application scenarios, and they can only be realized on the blockchain.

From a technical point of view, NFT is a concept of a token, which stipulates that every token has an id, so every token is unique , and the token information is stored on the blockchain, so It can guarantee its uniqueness, openness, non-tamperability, and security . NFT can act as a ” digital certificate “, and each token corresponds to a specific asset. In addition, each token is still indivisible. NFT has broad application prospects in the token economy. At present, NFT is mainly used in the fields of games and digital art. The Ethereum ERC-721 protocol is an implementation standard of NFT.

KJQ5LoAeZ8rqxdVua1XJxOwdy17DLs2qBTBf4UMx.pngThe ERC-721 protocol specifies 3 types of events and 9 types of functions to implement operations such as token transfer, authorization, and recording of operations. We noticed that almost all functions have a parameter called _tokenId, which is the unique “ID card” used to identify each token in the NFT token.

Note: Each token has one and only one id, which is also the only certificate that guarantees that each token of NTF is different .

NFT different types have different implementations, the chain information from the NFT the world NFT interaction type can be divided into non- binding type NFT and have binding type NFT (shown in figure II):

Note: “Binding” here refers to the binding relationship between the NFT token on the chain and the assets off the chain.

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 2. NFT classification

The first is an unbound NFT, as shown in Figure 3. This type of NFT refers to that all information of the token only exists on the chain, and no other off-chain assets (information) are associated with the token on the chain , such as CryptoKitties , The NFT is a game based on the Ethereum platform that gathers crowds and attracts cats. In the game, users can raise, buy, sell and breed “electronic pet” kittens. Each kitten corresponds to an NTF token, so each cat is unique. Moreover, all the information of each cat is recorded in the contract, so there is no need and no extra space under the chain to record the cat’s information.

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 3. Unbound NFT

Loot, which has been popular on the whole network recently, is also an unbound NFT on the Ethereum chain. The introduction of Loot on Opensea said:

Loot is randomized adventurer gear generated and stored on chain. Stats, images, and other functionality are intentionally omitted for others to interpret. Feel free to use Loot in any way you want.

In other words, Loot NFT is randomly generated adventurer equipment and stored on the blockchain. Statistics, images, and other functions are intentionally omitted for explanation by others. In layman’s terms, Loot is a kind of on-chain NFT with a black background and only contains text. Anyone can participate in the casting. A set of fantasy adventurer equipment will be randomly obtained, of course, in the form of text. These equipment are randomly distributed and scarce. feature. Each Loot contains 8 types of equipment, so there are 8 lines of words, and each line represents a type of equipment. In general, Loot is an on-chain NFT that only contains text information, yes, it is just text!

As shown in Figure 4, it can be seen from Opensea that the Loot NFT token with a token ID of 2790 is priced at 9 ETH (about 200,000 RMB).

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 4. Loot NFT token information

The information it represents can be viewed on etherscan through the following interface provided by the contract (the query result is the 8 phrases shown in the figure above).

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 5. Loot contract interface

Since all the information of Loot NFT is placed in the Loot contract on the Ethereum chain, Loot is an unbound NFT, and all its information is placed on the chain.

Secondly, there are binding NFTs. The characteristic of this type of NFT is that each token has a one-to-one correspondence with a certain asset (a picture, a song, etc.) under the chain. From a certain perspective, this This token can be regarded as a “certificate” for assets off-chain. Therefore, this type of NFT is mostly used in works such as the transaction of artworks.

As shown in Figure 6, this type of NFT is different from the above NFT. This type of NFT contract also stores an external link corresponding to each token one-to-one. Therefore, in this type of NFT, the information of a token is not only It is stored on the chain, and part of it is stored off-chain. Therefore, for this type of NFT, the external URI information corresponding to the token is stored in the contract .

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 6. With binding NFT

If there are no additional links to other places in the external links recorded in the contract, that is, an external link contains all the information describing the corresponding token, then this token is called a single-level binding NFT , as shown in Figure 6. If there are external links to other places in the external links recorded in the contract, that is, multiple external link nested loops, then this kind of token is called a multi-level binding NFT . As shown in Figure 7. If the number of nesting levels of external links is n, we call the n-level binding NFT, and the blockchain layer is at level 0 (level 0).

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 7. Multi-level binding NFT

Centralized security issues of NFT

As we mentioned earlier, thanks to the decentralization and immutability of blockchain technology, the security of each token in NFT can be guaranteed, that is, the uniqueness of the content of the token itself (data on the chain) in the contract. , Legitimacy, ownership rights cannot be tampered with. However, in a bound NFT contract, not only the content of the token itself is saved, as shown in the NFT contract shown in Figure 6, this NFT contract also saves the information of the external URI corresponding to the token, and the external URI points to the token. The corresponding off-chain information. And this kind of on-chain and off-chain interaction mechanism has the centralized security problem we talked about at the beginning .

Although the content of the token id and external URI in the contract cannot be tampered with, the content of the external page pointed to by the URI can be modified . As shown in Figure 8, if someone modifies the content in the external link, it cannot be detected only through the data on the chain. In this case, your NFT assets may be dropped by others at any time. That is to say, for the binding NFT contracts shown in Figure 6 and Figure 7 above, the consistency of the data on the chain and the assets off the chain cannot be guaranteed . This is the centralized security issue of how to ensure that assets off-chain cannot be tampered with in NFT.

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 8. Tampering with bound NFT

There are two types of binding NFTs : weak binding NFT and strong binding NFT

  • Weakly-bound NFTs are the above-mentioned: NFTs that cannot guarantee the consistency of on-chain data and off-chain assets . For example, Figures 6 and 7 are weakly-bound NFTs.
  • NFT strongly bound type refers to ensure the consistency of the EU data and NFT chain assets , that is to say there is some mechanism, such that the token corresponding to the chain assets can not be tampered tampering or operations may be traceable to NFT. Obviously, the strong binding NFT is more secure and reliable, and it is more in line with the design concept of “decentralization” of the blockchain.

In order to better understand the current NFT ecology, we have selected the 10 ERC-721 NFT contracts with the largest historical transaction volume (Transfer Event) on Ethereum as of September 11 for analysis ( contract information and analysis) The results are in the appendix at the end of this article ). Unfortunately, most of the currently bound NFTs are weakly bound : among the 10 NFT contracts, except for 3 unbound NFTs, 6 of the remaining 7 bound NFTs are weak. Bound.

Case study: Art Blocks

Art Blocks is more active and representative among the above 6 weak head binding NFTs. In the following, we will use Art Blocks as the target NFT for case analysis.

Art Blocks is a platform that focuses on curating programmable generated art works. These works are usually programmed using p5.js, which is a JavaScript library that allows creative coding, and the scripts are stored on the chain. When casting a new artwork, a unique “seed” will be randomly generated using scripts to generate a unique artwork. According to Opensea (Opensea is currently the largest NFT trading market on the Ethereum network), as of September 16, Art Blocks has the largest transaction volume in seven days and the second largest NFT in history.

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 9. NFT 7-day trading volume ranking on Opensea platform

As shown in Figure 10, it can be seen from Opensea that the bid for Art Blocks NFT token with token ID 95000658 is as high as 398.5 ETH (about 10 million yuan).

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 10: Sky-high Art Blocks NFT token

So what does this token represent? We check the information of this token through the contract interface on etherscan to get the corresponding URI:

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 11. Art Blocks contract interface

As shown in Figure 12, the content of this external link is a file in json format, which defines information related to the artwork. In this json file, the URI (image field) that points to the image artwork is given. We noticed that whether it is the token URI saved on the chain or the image URI saved under the chain, these URIs all point to the project’s private site, Art Blocks, and there is no verification mechanism. In short , if the project party changes the content in the URI privately, the user’s NFT collection will be dropped. Obviously, as a multi-level weakly bound NFT, Art Blocks has a centralized security risk.

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

Figure 12. Off-chain information of Art Blocks NFT token (level 1)

In addition, we have also mentioned before that in weakly bound NFT, if someone gains control of the external link corresponding to your token, then he can modify the content in this link, so that he can be in the dark. If you feel like, your NFT token will be dropped. Although weakly bound NFT can save some costs and improve development efficiency in some aspects, these are premised on sacrificing the security of NFT.

One of the original intentions of the blockchain is the security and non-tamperability brought by decentralization plus cryptographic mechanisms. If we abandon these features, what is the difference between the NFT on the blockchain and the traditional certificate method?

Can do better

At present, most of the binding NFTs are weakly binding NFTs, which cannot effectively guarantee that the token on the chain is exactly the same as the data off the chain. The strong binding NFT adopts a special method to ensure the consistency of information on and off the token chain. The strong binding NFT mainly has the following two implementation methods:

The first is through with IPFS represented by a tile-based chain, distributed network storage to achieve strong binding mechanism of NFT:


Figure 13. IPFS strong binding NFT

This method guarantees the consistency of the information on the chain and the information off the chain by storing the files on an immutable blockchain or distributed network storage system, such as IPFS or Arweave. Due to the technical characteristics of the file system, it can ensure that the file The upload cannot be tampered with, so the consistency of the token information will not be destroyed. Figure 13 shows the NFT using IPFS: This NFT contract stores the external IPFS URI address corresponding to each token. Because the IPFS file system is a distributed, point-to-point, and non-tamperable file system, files Once uploaded to the IPFS network, it cannot be changed, so the off-chain information corresponding to each token is also unchangeable. RARI NFT took this approach.

The advantage of using the NFT contract based on the blockchain and distributed network storage to achieve a strong binding mechanism represented by IPFS is that only the URI information corresponding to the token needs to be recorded in the contract, which saves on-chain storage space. The disadvantage is that blockchain or distributed network storage systems are troublesome to use, unfriendly to ordinary users, and costly to use.

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market

The second is NFT that implements a strong binding mechanism through hash pointers :

Hash pointers, “Hash Pointers” in English, are pointers to the storage location of the data and the hash value of the data in the storage location. An ordinary pointer can tell you where the data is stored, and a hash pointer can not only tell you where the data is stored, but it can also give you a way to verify that the data has not been tampered with.


Figure 14. Hash pointer strong binding NFT


As shown in Figure 14, in the NFT that uses hash pointers to achieve strong binding, the on-chain contract stores the hash pointers of the first layer of external links, and the first layer of external links stores the second layer of external links. Hash pointer…Each level of the storage system stores a hash pointer to the next level. Under this mechanism, if the content of a certain level is tampered with, it must be traced. Tampered place.

The strong binding NFT contract using the hash pointer method has the advantage of being easy to use. The storage of external files is not limited to the blockchain or distributed network storage system, but also can use web protocols such as http and https. The disadvantage is that the hash pointer of the next-level link must be stored in each level of storage structure, which is a waste of space, especially on a block chain with a small amount of money. The overhead of storing a part of the content should not be underestimated.

From a security perspective, we recommend that the design specification of NFT contracts should meet one of the following conditions :

1. Use non-binding NFT, that is, all data is placed on the chain

2. Adopt similar strong binding NFT based on IPFS mechanism

3. Adopt strong binding NFT based on hash pointer


This article analyzes the 10 NFT contracts with the largest transaction volume on Ethereum. Most of these contracts are weakly bound NFT contracts. Weakly bound contracts have centralized security issues that cannot be ignored. To a certain extent, A weakly bound contract is like a centralized certificate system under the skin of a blockchain, and the centralized authority has absolute control over NTF. In this case, the NFT in your pocket does not belong to you. Yes, it’s just that others have temporarily given you the permission to use it, and it can be taken back at any time. This is not a reverse operation in a decentralized world.

There is no small matter in safety work, just a thought from heaven and hell. In a decentralized world, technology should help establish a fair and just framework, not the traditional centralized system that is covered in decentralization. At present, the development of NFT is in the ascendant, a series of standards have yet to be established, the old world needs to be broken, and a new order needs to be established urgently. We have reason to believe that a truly decentralized NFT world will eventually come.


10 NFT contracts on Ethereum analyzed in this article

Is it technological innovation or a wolf in sheep's clothing? The security concerns behind the booming NFT market


Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-09-16 16:26
Next 2021-09-16 16:30

Related articles