The (Other) Problem with NFTs

Physical artworks in museums are usually well-guarded - but digital artworks are something else entirely: in 2021 alone, scammers successfully stole 100 million dollars worth of non-fungible tokens, or NFTs. Yet blockchain technology, where most NFTs live - is one of the most secure technologies in history. Why, then, are NFT collectors keep getting hacked?

Hosted By

Ran Levi

Co-Founder @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Oded Vanunu

Head of Products Vulnerability Research at Check Point Software Technologies, Ltd.

More than 15 years of Cyber Security experience. A Security Leader & Offensive Security expert.
Leading products & technologies security research from a design level to post release.
Expertise: leading Security Research Teams, Vulnerability Research & Security architecture.

The (Other) Problem with NFTs

Security of Famous Art

What are the most valuable things you could own? Precious jewels? One-of-a-kind sports cars or memorabilia?

How about artworks?

Rare and popular art is worth far, far more than its weight in gold or paper money. The most expensive sale of a painting — da Vinci’s Salvator Mundi — was for 450 million dollars, five years ago. And Salvator Mundi isn’t da Vinci’s most famous, or even his second most famous piece. You could only guess how much the Mona Lisa would go for. 

Because art is so expensive, some museums employ serious security protocols to keep them protected. As much as in the Hollywood movies, if not more.

Of course there are guards in every room, doors and windows are always fitted with alarms, and motion sensors paint invisible laser patterns across gallery rooms. But motion is just one kind of way to sense malicious behavior — a 2000 New York Times article highlighted museums with, quote, “infrared sensors that monitor a room’s temperature and can see the shapes of warm bodies moving through it; ultrasonic sensors that trigger an alarm if their sound waves strike a foreign object; microwave sensors that work on the same principle but can be hidden within walls.” End quote. Acoustic sensors attached to display cases can pick up when glass is being cut. Sensors — like LoJacks, devices originally designed for tracing stolen vehicles — can be placed onto artworks themselves, if they’re not too delicate. Otherwise, cameras can be trained on specific works 24/7, raising an alarm if the image in the frame moves even one bit. That’s in addition to the dozens or hundreds of other CCTV cameras stationed around any museum, all under watch from a control center.

These measures prevent thieves from stealing art. And for special insider threats, quote: “museums now check employees’ backgrounds more carefully; issue card keys to restrict access in their buildings; spend more on guarding storage rooms, which hold the bulk of most collections; enforce stricter rules for signing objects in and out; and teach guards to watch their fellow employees as closely as they watch strangers.” End quote.

There are likely more security measures that we don’t know of publicly, because museums wouldn’t want to reveal all of their cards. By the end, the many security layers we know of, plus those we don’t, stack on top of one another to create a nearly impossible task for prospective thieves. And sure, occasionally some museum somewhere is penetrated due to some kind of oversight. But let’s be real: It’s highly unlikely that someone will be able to successfully steal Starry Night, or Michelangelo’s David. Not these days. 

The Irony of NFT Security

Now compare those impressive, labyrinthine, near-Herculean safeguards we place on physical artworks to how we handle digital artworks.

This past summer, a blockchain analysis company called Elliptic published an “NFTs and Financial Crime report.” Among the findings: in one year — from July 2021 to July 2022 — scammers successfully stole 100 million dollars worth of non-fungible tokens, or NFTs. On average, 300,000 dollars in value, per successful attack.

The more you look into the data, the worse it gets. The period in question included a severe bear market, where the value of NFTs dropped drastically. And yet scams rose in frequency every single month — in the final month of the study, there were over four and a half thousand of them. And, of course, the researchers could track only publicly reported cases. We can’t say how many more attacks there were — how many millions more were stolen — and simply not reported, for one reason or another.

It’s become pretty easy to steal people’s NFTs. Really, to steal anything on the blockchain. According to blockchain research firm Chainalysis, billions of dollars in cryptocurrency are stolen every year — over 2 billion in 2021 alone, and over 3 in 2022. But it’s not because the technology is insecure. Consider this:

There isn’t one major corporation, one government or military that hasn’t been in some way hacked since the year 2009.

In the same period of time, the Bitcoin network has been compromised not once.

You could argue that blockchain is actually the single most secure information technology in the world today. Not every blockchain is built equally, but Bitcoin, and also Ethereum — where most NFTs live — are damn near impenetrable, for reasons we’ve explained in previous episodes of Malicious Life.

It may seem like a contradiction, that blockchains are so secure and yet the people who use them keep getting hacked. But there’s a reason why.

#1 Case of the Disappearing NFT

On December 28th, 2021, at 1:07 in the morning, the rapper Waka Flocka Flame — known best for “No Hands,” “Hard in the Paint,” and other bangers — posted a video to his Twitter account. It was an iPhone recording of his laptop screen, which displayed his digital wallet on OpenSea, the world’s leading NFT marketplace. We watch him scroll past a few different NFT artworks in his collection…

Try to look past the weirdness of it all, and really examine what he’s saying. The fake NFTs “popped up” in his wallet. All he did was click on them, and “they” stole 19 grand worth of his property. How?

“[Oded] My name is Oded Vanunu and I am the Head of Products Vulnerability Research at Check Point”

Oded Vanunu is a regular on a sister podcast of Malicious Life — about cutting-edge cybersecurity research projects — called CPRadio.

“[Oded] Recently I just finished writing a book with two of my colleagues and the book is all about blockchain hacking.”

This Fall, Oded and his colleagues came across a number of OpenSea users having their own Waka Flocka moments.

“[Oded] I remember it was like the weekend and we started to see tweets of users saying hey, we were just like receiving NFT gifts or NFT links on the OpenSea network and we lost all our assets. Like our balance was withdrawn and we don’t understand what happened.”

As just one example, there was an artist — Jeff Nicholas — who tweeted on August 24th, quote, “ .” End quote. For context, each ETH (Ethereum) token at the time cost just under 2,000 dollars. So that’s 10,000, plus Bored Apes and Crypto Kitties, which were probably worth a whole lot more.

A Twitter user named Andrew expressed sympathy. “Dude, feel so bad for you. no words,” he wrote.

Jeff replied, summing up his feelings. “It’s fucked.”

#1 CPR’s Malicious NFT Proof

“[Oded] So we started to discuss and started to say, OK, we need to investigate this scenario.”

All that was known, to this point, was that a hacker or hackers were sending NFT airdrops to users on OpenSea. Airdrops are like gifts developers will send to thousands of users, to promote their projects. Like, “Here’s a free NFT for your wallet, now you know about us.” They’re very common.

“[Oded] So we started to see what is the onboarding process of creating NFT.”

The first, most basic step in uploading an NFT to the OpenSea marketplace is choosing a file format: JPEG, PNG, GIF, and so on. Then there are some more niche formats, like Scalable Vector Graphics, or SVG.

“[Oded] SVG is like a JavaScript file type, meaning that I can take an image. However if you look at the code, it’s based on JavaScript.”

An SVG file might come packaged as an image but, unlike JPEGs and GIFs, the code underneath is capable of doing things.

“[Oded] We said, “OK, let’s try to reconstruct some kind of SVG file.” Put like an image and then let’s add some kind of JavaScript code and see if it can echo back or we can see that it’s executing our code.

Then after a few reviews and testing, we saw that it’s indeed executing our code. [. . .] it was very surprising because we thought that if I have some kind of code that I’m putting in some kind of image file, they will have protection that will block any kind of code execution.”

Oded and his team could’ve programmed his SVG NFT to do anything they wanted to an OpenSea user.

“[Oded] Then we said, OK, if it’s executing the code, we can start to communicate with the API of the user wallet, meaning that I can weaponize an SVG image that everyone that will press on it, will like it, it will execute code in the context of the user that got it.”

They wrote a simple program: if a user accepted their malicious NFT, they obtained access to the user’s OpenSea wallet.

So Waka Flocka opens his OpenSea account and sees a notification for a free airdrop, something very common in the NFT world. He clicks “Accept,” and that’s it. In moments, everything’s gone. With just one click.

Layer 2 vs. Layer 1

There’s a fact of this story that’s easy to gloss over, amid all the details — that at no point, anywhere, was there a vulnerability in the blockchain. Heck, unless you knew before listening, you couldn’t even tell me what blockchain we’re talking about here.

OpenSea is not a blockchain, it is a platform that operates on top of the Ethereum blockchain. We call this a smart contract.

“[Oded] Smart contracts are basically applications.”

Like the programs you run on your laptop or phone, but on the blockchain.

“[Oded] Today, if I want to create application that will work on blockchain network, I need to create a smart contract [. . .]

There are vulnerabilities that are not by intention, vulnerabilities and misconfiguration on smart contract. It’s like creating an application on the internet that we have and we found some kind of vulnerabilities in the frontend. By exploiting the vulnerability and the application, it gives us access to the database.”

OpenSea users didn’t lose their NFTs because of a flaw in the blockchain — the database — they lost them because of a flaw in an application, written by developers. And anything written by developers is bound to have some bugs in it somewhere.

“[Oded] We managed to create this kind of attack and immediately we contacted OpenSea and said, “OK, guys. The attack from the morning or the attack from the weekend, this is how it happened. You must fix, you must create some kind of sandbox or you must remove all the file types that can contain code inside of it. This is what they actually did.”

Not every blockchain attack is the fault of the developers, though.

#2 Contract Migration Phishing

Consider when, mere months before the malicious NFT aidrops, OpenSea users faced nearly the exact same situation. It was February 19th when “Panic erupted,” wrote one blogger, “as a few users saw their wallets emptied of valuable NFTs without knowing why, and many others feared the same could happen to them.” Some guessed it had to do with a malicious airdrop, but that wasn’t it.

To understand, you need to know what really makes smart contracts unique: that, unlike regular software programs, they can never be changed. (Nothing on the blockchain can be changed.) So, if you want to update the software — at least, the part that lives on the chain — you have to create an entirely new version.

“[Oded] OpenSea created a new smart contract and all users will be – all users were required to migrate their listing on Ethereum to the new smart contract.”

To continue using OpenSea, users had to transfer their NFT wallets from the old OpenSea to the new one. It was as easy as it sounds — follow a link, click a button, you’re done.

But a clever hacker came up with an idea.

“[Oded] They were taking advantage of the upgrade process and decided to scam NFT users by using the same mail format that was coming from OpenSea.”

Almost too easy. A hacker copy-pasted the email OpenSea sent its users, alerting them to the contract migration. They re-sent it from a lookalike domain, and replaced the legitimate link with a malicious one.

“[Oded] So the victim is like getting a link for moving to the new application of OpenSea and once the user clicked on it, it’s linking to a phishing website that looks exactly the same as OpenSea to sign a transaction.”

Users thought that the transaction they were signing would migrate their wallet. Instead, behind the scenes, they triggered an “atomicmatch_” function on the Ethereum blockchain. Basically…

“[Oded] By signing the transaction, the user or the victim actually said, “OK, I am giving you ownership of my OpenSea assets.””

Once again, nothing untoward has happened on the blockchain — merely a transfer, just like any other, from one user to another. Even from the platform’s point-of-view, there’s no actual error.

Only 17 people fell for the trick. But the combined 250 or so NFTs that they lost were valued, at the time, around 1.7 million dollars.

The Deadly Combination

According to data from nonfungible.com and the research firm L’Atelier, NFTs traded for 82 million dollars in 2020. In 2021 they traded for 17.6 billion — a 21,000% year-over-year increase.

NFTs were in the news, and on Saturday Night Live. Your parents heard about them — these shiny, flashy things regular people were using to get rich quick. And if the same artworks that were worthless a few years ago sell for thousands or millions of dollars apiece, surely you should get some for yourself, right? Influencers on social media propagated this narrative to grow their followings, and YouTubers posted videos with their shocked faces in the thumbnails, with titles like “Making $1.5M In 17 minutes selling NFTs” or “BEST POTENTIAL For 10x Gains! (You DON’T Wanna Miss This NFT Project).”

And so all kinds of people ran to take part in this digital-era gold rush. Some knew what they were doing; many did not. Is it any wonder that bright-eyed, amateur investors made for such easy targets?

And then there were the engineers, who migrated to this new and exciting field. Plenty of them were smart, but the blockchain has its own logic, limitations and languages. Isn’t it inevitable that platforms created by devs with only two or three years’ experience in the field would have bugs in them?

“[Oded] So currently cybercrime is identifying that the entire blockchain ecosystem has a lot of gap in cybersecurity defense. [. . .] 

currently all the Web 3 main platforms are still not ready to deal with this amount of traffic that they are dealing. So it means that they need to spend a lot on security and on like monitoring the entire networks. That takes time.”

Wherever there are millions of dollars, hackers will be trying to get in. Wherever there are gullible people, hackers will smell blood. Until cryptocurrencies and NFTs become a lot less profitable, or the people who use them become a lot more experienced, blockchain will continue to be the most attractive place for cyber attackers to pick up a quick buck.

#3 Axie Infinity

There may be no better demonstration of this — of the risks in NFT security, and just how dangerous it is to be in this industry right now — than what happened to one video game studio last March.

Maybe you’ve heard of Call of Duty, Fortnite, and Candy Crush, but what about Axie Infinity? If you’re unfamiliar, think Pokemon, if the Pokemon were NFTs, and you’ve got the idea. At its peak, this game reached 2.7 million daily users — not total, daily — mostly concentrated in Southeast Asia, particularly the Philippines. Weekly transaction volume for its in-game NFTs surpassed 200 million U.S. dollars.

Early last year, some employees of Sky Mavis — Axie’s developer — began receiving recruitment messages over LinkedIn private messaging. The messages seemed to come from a competing company, and encouraged the recipients to apply for a job.

One engineer was interested. According to the website The Block, the engineer pursued the opportunity, completing “multiple rounds” of interviews. Then they received their offer. All the details came in a PDF document, which they downloaded to their computer. I could tell you what happens next, but you probably already know.

According to a blog from Sky Mavis, quote, “the attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.” End quote. Validator nodes, put simply, are the trusted entities which control what happens on a blockchain. Like a Supreme Court that approves or disapproves transactions based on majority vote. Axie runs on their own little blockchain called the “Ronin” network.

“[Oded] But the decentralized system that they built had only nine validators. OK? Which is like a very small amount of validators.”

According to the developers, the Ronin network was one day supposed to have more than 100 validator nodes, very few of which would be controlled by the company itself. The goal being to prevent the very scenario that ended up occurring, when they had just 9.

“[Oded] if you build a system that serves millions of users and have transactions of hundreds, of millions of dollars, you cannot have nine validators. [. . .]

because if for example a hacker managed to get 51 percent of the validators, then he can approve the transaction.”

Through the hacked employee account, the attackers managed to secure the private keys to five validator nodes — more than half of the total. With a majority of these Supreme Court judges, they had the power to deny or approve anything that happened on the blockchain and in the game. So they generated two withdrawal transactions from the game into their own account.

Two weeks after the news broke, the U.S. Treasury Department identified those attackers as the Lazarus Group — North Korea’s premier APT, known for using cybercrime to fund the Kim Jong-Un regime.

From this one phishing attack against a single NFT video game, they walked away with more money than they could’ve ever dreamed of stealing from any ordinary corporation, bank or government; probably more than all of their other cyber campaigns combined. A total of 625 million dollars.

So is it any wonder? Tons of money, easy marks. Nobody is more excited that you’re getting into NFTs than your future hackers.