StartKryptowährung NewsHow to Make NFTs Secure?

    How to Make NFTs Secure?

    Video How to Make NFTs Secure?

    Modern hardware wallets usually support NFT. However, not all marketplaces allow their clients to use these devices directly. It is forbidden, or one should use a software wallet, which is uncomfortable for the clients. They need to do additional tasks that can confuse them or cause issues. Hence they will neglect this way of storing NFTs.

    The solution to this issue is obvious: NFT platforms (marketplaces, video games, galleries, etc.) should support all popular hardware wallets that can store NFTs.

    Smart contracts transparency

    Smart contracts for NFT platforms help process the payments and manage the on-fungible tokens. Hence, the hackers and other malefactors are interested in stealing them. Significantly, those smart contacts employ open-source code. Furthermore, an independent audit should check them.

    Unfortunately, not many platforms follow this rule. For example, Sorare smart contacts are a closed type of software. Rarible is a hybrid platform, and some smart contracts are open; the others are not. OpenSea is perfect in these terms. Their contracts are available and passed the independent audition. If you want your NFTs to be safe, trade on OpenSea.

    Authentication policy

    Art objects in the real world often are just a way for money laundering. NFTs will make it easier since the unanimous users will mint the tokens. Furthermore, they will not have difficulties transporting, which frequently happens to physical artworks. Many cryptocurrency exchanges, like Binance and Coinbase, introduced KYC (Know Your Customer) and AML/CFT (Anti-money laundering, Combating the Financing of Terrorism). Yet, the platforms have done nothing to guarantee the KYC/AML/CFT are followed.

    Passing the ownership rights on an asset

    In trading NFTs on an online marketplace, an intermediary helps to give the ownership rights on investment to the buyer. The other option is escrow smart contracts. In the first case, the security of the NFTs is under threat since the intermediary might steal the money or the tokens. Else, a hacker can injure the device with harmful software.

    The escrow model can also carry risks because the security of the money and tokens will depend on the security (code) of the escrow contract. Since NFT platforms often process the deal beyond the blockchain to save gas, hacking this contract is possible. Yet, escrow is an entirely more secure way to buy and sell NFTs.

    Nifty Gateway uses the escrow contract trading model, while Rarible and OpenSea use the intermediary operator model.

    Market operation decentralization

    When NFT assets are published on the platform, they are transferred to the wallet of the trading platform. In this case, the trading platform stores NFTs in escrow, which happens outside the blockchain. From the moment the seller transfers his NFTs to the marketplace until the sale is completed, all transactions are invisible to the blockchain. This violates the principle of decentralization and makes buying and selling NFTs unsafe for all parties.

    If you want to keep your NFTs secure, use the platforms that do not have access to the private keys and do not require you to transfer the asset on their wallet (the way Nifty Gateway works). If you want to develop your NFT platform, ensure that you do not violate the decentralization principle; hence your assets are not under unnecessary threats.

    Checking the entered data about the deal

    NFTs applications are the front-end parts of the system that interact with the server part and smart contracts (back-end). During the buying/selling process, the front-end and back-end need to arrange everything. The application or the smart contract must check each parameter that the interface receives from the user. Neglecting it or implementing it poorly will lead to NFT or money loss.

    For example, one of the reports of OpenSea says that a user wanted to gift an NFT and typed the nickname of the receiver instead of their Ethereum address. Because no one checked if the input data was correct, the NFT was sent to the wrong address or lost.

    Editable metadata

    NFT metadata is what the token represents. For example, a photo file, a song, or a play text. ERC-721 standard allows changing the token’s metadata, a threat to the assets’ security. For instance, if an NFT is a work of art, the token contains the link to the photo, video, or audio. In this case, the NFT creator can change the token’s metadata, which will turn it into rubbish.

    One can do it in two ways. The first one is to change the metadata_url in the token. The second one is to change the token itself. If the first case can be blocked on the smart contract level, metadata issued on other domains is still possible to change or delete. And it is effortless, and one needs only to buoy or hack the domain.

    The solution for the first hacking way is to forbid changing the metadata_url in the smart contract. The key for the second case that will partly lower the risks is to post the metadata in IPFS. The benefit of IPFS is that the URL address of the file with metadata includes the cache of the content; hence the metadata can not be changed without changing the NFT’s URL.

    To secure your NFTs from these threats, use platforms like CryptoPunks, Foundation, and Nifty Gateway. Their token contracts do not allow changing the metadata_url. The platform Xie has some issues since their token agreements will enable users to change the URL address. OpenSea, SuperRare, and Sorare allow the creator to change the metadata_url before the first sale. Yet, only Foundation requires storing metadata on IPFS.

    Security risks for the user

    Creating a counterfeit NFT

    The smart contracts prove the authenticity of the NFTs. Before buying an asset, we recommend verifying the contracts’ collection address on official sources, such as the project’s webpage. Unfortunately, the users rarely do it since they do not know that it is possible. Instead, the users focus on the names and appearance of the lots on the marketplaces, allowing the malefactor to offer fake NFTs. Usually, the frauds use these schemes:

    • Similar collection names. There are loads of fake NFTs on the internet that use an equal representation of a collection or a discrete NFT. The trick is changing the symbols in the ASCII in the original name to the characters that are not ASCII but only look similar. It is also possible to change the Latin ‘C’ to a Cyrillic ‘C,’ and no one will see the difference.

    OpenSea restricts its users from using popular collection names and certain special characters to limit such cheating. However, it is easy to circumvent this restriction by adding a period (.) at the end of the name or by replacing the uppercase character with a lowercase one, making, for example, CryptoWizards into Cryptowizards.

    • Identical URL addresses of the images. Some fake NFTs copy the mage_url of existing NFT assets. For example, fraud can launch a smart contract and mint the tokens copying a popular collection like CryptoPunks. If the customer only looks at the appearance and will not check the authenticity, they might get these NFTs for real ones.

    There are no easy ways to protect yourself from such fraud? Since now, there are almost no ways to verify who and where is placing their tokens, unless it is some celebrity or a pretty famous token. The best security, in this case, would probably be a reputation system and implementation of vendor verification mechanisms (KYC procedure).

    • Similar images. Another option to create a fake NFT is to copy a digital asset (photo, video, audio) and then mint an NFT that points to that copy. This type of fraud on the NFT market is trendy because of its simplicity and accessibility. Many such tokens on platforms allow you to mint NFTs for free.

    Currently, no platform performs asset similarity checks to determine if a multimedia file has been used in other NFTs. Therefore, it is up to users themselves to do such verification through Google or other content similarity mechanisms.

    Social engineering (phishing)

    It is common to name various psychological manipulations that make the user do specific actions or reveal private information. To put it more straightforward, these are the tricks that help the frauds get the money, passwords, bank cards, secrets, and other information about the people without hacking their computer or smartphone. Unlike conventional scams, social engineering requires many steps and preparation.

    As we mentioned above, some frauds sent fake emails pretending they were from the Coinbase support team. They were trying to get users’ login data. It is probably the most common type of phishing that requires the fraud to prepare a mail and a website/application the mail will lead to. It will help to get the login and the password of the user.

    There are other options. The fraud often creates fake applications pretending to be popular wallets, exchanges, and marketplaces. Frequently, these artificial applications pass the checks on Google Play and App Store.

    Another type of phishing is to lead to the installation of software with a virus or keylogger inside. Usually, for this, the scammer contacts the victim via social networks or messenger and somehow convinces him to download and extract a password-protected ZIP file from Google Drive. Password protection ensures that Google Drive virus scanning cannot penetrate the content of the ZIP file (the scammer will give the password directly during the communication, e.g., on Twitter).

    Once the victim has extracted the file and launched the malicious installation, the malicious code will infect the system. When the victim launches, for example, a Metamask wallet, the scammer will be able to intercept her username and password. Together with the original user phrase (stored on your computer in your browser extension), this information allows the hacker(s) to steal all the user tokens. If the wallet is connected to a bank card, this money will also be stolen.

    How can the users protect their NFTs?

    Employ two-factor authentication

    The most crucial thing the users can do to protect their NFTs is to use Multi-factor Authentication (MFA). The statistic reveals that hackers and fraud steal money mostly from users who do not have this feature. For example, on Nifty Gateway, only those users that did not use MFA were hacked. The same goes for phishing mails of the Coinbase victims cases.

    Use a complicated, long password

    Do not underestimate the benefits of a strong password, especially when combined with MFA. You should have a sufficient length and complexity password not used in other accounts. Best of all, it should be a set of random numbers and symbols generated by some program, like the one used by Google Chrome, to create complex passwords when you sign up somewhere automatically.

    Store the backup phrase in a safe place

    Read more: Nft nftsgravesdecrypt – Krypto-NFTs

    Source: 🔗