Well, that was not a hack, as clarified by the OpenSea spokesperson. However, it is a major security incident, which this NFT marketplace leader witnessed again and again. The company has a valuation of over $13 billion with over a million active user wallets. The NFTs and their marketplace are already surrounded by controversies. Any security breach incident reported, especially from its market leader like OpenSea, exposes the already vulnerable industry, making customers further lose their confidence and trust.
We all know any flaw in the NFTs Marketplace’s design, which, if abused, poses a significant financial risk. In the case of OpenSea, at least 32 users had lost their valuable NFTs worth $1.7 million on February 19, 2022. The early reports talked about a much higher value, that of around $200 million, which the company spokesperson denied. OpenSea Co-Founder and CEO, Devin Finzer acknowledged the attack, confirming that 32 users have lost NFTs worth $1.7 million. In another incident reported in December 2021, a total of 16 apes were stolen, valued at $2.2 million.
What are NFTs and why they are creating hype?
Read our previous article.
NFT Marketplaces are new in the digital ecosystem. They are also making huge news for the hype that NFTs have created over the last few months. NFTs are supported by blockchain technology, and hence they are supposed to be super secured. Then why NFTs and the marketplace are facing security issues?
Here are three security issues for NFTs Marketplaces demystified by the experts:
1. NFT Marketplaces’ protocol design isn’t entirely decentralized
In a research paper ‘Understanding Security Issues in the NFT Ecosystem,’ Dipanjan Das, Priyanka Bose, Nicola Ruaro, Christopher Kruege, and Giovanni Vigna, provide a very thorough insight on how these NFT Marketplaces work. In this paper, the authors mention the off-chain part of the marketplace. Even though the events in the marketplace are recorded in a centralized, off-chain database managed by the NFTM. Users perform various activities by interacting with the web app, not the blockchain, and, therefore, this design is gas-friendly. Nifty is an example of an off-chain NFTM.
Here’s an excerpt of the research paper on how the entire system works:
NFT marketplaces (NFTM) are dApp platforms where NFTs (also referred to as assets) are traded. There are typically two main components of an NFTM—a user-facing web frontend, and a collection of smart contracts that interact with the blockchain. Users interact with the web app, which, in turn, sends transactions to the smart contracts on their behalf 5 . Primarily, there are two types of contracts: (i) marketplace contracts, which implement the part of the NFTM protocol that interacts with the blockchain, and (ii) token contracts, which manage NFTs. Marketplaces typically allow users to perform the following activities: (a) user authentication, (b) token minting, (c) token listing, and (d) token trading.
The token-related activities are collectively called events. Depending on where these events are stored, three broad types of NFTM protocol design are possible:
(i) on-chain: all the events live on the blockchain. Since every action costs gas, this design makes the NFTM operationally expensive for the users. NFTMs that follow this design include Axie, CryptoPunks, Foundation, and SuperRare.
(ii) off-chain: the events are recorded in a centralized, off-chain database managed by the NFTM.
Users perform various activities by interacting with the web app, not the blockchain, and, therefore, this design is gas-friendly. Nifty is an example of an off-chain NFTM.
(iii) hybrid: depending on their type, events are stored either on-chain or off-chain. To ensure the integrity of the operation, on-chain and off-chain events are tied together with a cryptographic check. OpenSea and Rarible follow this model.
As the events in OpenSea are stored on both on-chain and off-chain, the marketplace could be vulnerable to attacks and other breach activities. Other NFTs Marketplace like Axie, CryptoPunks, Foundation, and SuperRare could be more secured owing to entire on-chain protocols.
2. NFTs marketplace are vulnerable to human error
If we consider any security threat in the digital ecosystem, they are either caused by human error or occur due to inherent flaws in the system itself. In these cases of NFTs Marketplace, both factors play an equally important role.
In the case of yesterday’s incident, OpenSea Co-Founder and CEO, Devin Finzer said it appears to be a phishing attack originating outside of OpenSea’s website. In a tweet, he mentioned that it seems 32 users have signed a malicious payload from an attacker and some of their NFTs were stolen.
Earlier, Engadget in an article talked about the security vulnerability of OpenSea.
The site had a critical security vulnerability that could have allowed hackers to steal users’ entire crypto wallets, according to security research firm Check Point Software.
Check Point said it first noticed reports of stolen crypto wallets triggered by airdropped NFTs, prompting the firm to investigate OpenSea. That revealed critical security discoveries “that, if exploited, could have led hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs,” the company said.
It seemed that a lot of things needed to go wrong for the attack to work, and it’s not clear if it was actively exploited. Check Point said it disclosed the vulnerability as soon as it found it, and OpenSea said it implemented a fix “within an hour of it being brought to our attention.” The company said it’s “doubling down on community education around security,” by adding a blog series and taking other measures.
The security research firm said that given the rapid pace of innovation, “there is an inherent challenge in securely integrating software applications and crypto markets.” Bad actors are also drawn to crypto like wasps to pain au chocolat, so it’s likely we’ll hear about similar attacks in the near future.
3. Anonymity and Lack of regulation make them extremely vulnerable
NFTs can remain anonymous for the time being, and you may not know who is behind the artist’s username or avatar. NFTs are likewise not subject to any laws or regulations. Because of these characteristics, NFTs are perfect for concealing unlawfully obtained funds.
The general process that is involved for any financial transactions isn’t applicable to NFTs Marketplace. Anti-Money Laundering (AML) and Counter-Terrorist and Proliferation Financing (CTF/PF) standards are not needed, even the larger ones, and users are not obliged to go through Know Your Customer (KYC) processes. However, there is growing speculation that NFT platforms will soon be required to implement KYC, AML, and CTF/PF solutions.