Can Smart Contracts Protect NFTs?

By Galina Likhitskaya, Vice President, Operation & Product at HashEx

In 2021 the total NFT sales have grown from $1.3 billion in Q2 to $10.7 billion in Q3. The sales  of collectible NFTs have grown even more drastically: over 100 times, from $55.5 million at the start of 2021 to $5.6 billion in the third quarter. Even the two most popular auction houses — Sotheby’s and Christie’s — both joined the NFT boom and started to accept cryptocurrencies as payment to allow high-net-worth cryptocurrency holders to become bidders in their auctions.

The rise of the NFT market has certainly not gone unnoticed among hackers. And they are ready to show their ingenuity in trying to expropriate or fabricate non-fungible tokens. There are not very many cases of attacks on NFT smart contracts, but the server-based marketplaces have undergone attacks, with some of them coming to fruition. So, if you do not want to become a victim of such attacks one day, you should know how to protect yourself against them.

How to protect yourself from a counterfeit NFT?

To start with, NFTs cannot be replicated. So, that is one thing you can feel confident about. However, NFTs with similar IDs can still be issued but from a different smart contract. To check the authenticity of an NFT, you need to copy the address of the smart contract that minted it and run a search on it on the respective blockchain explorer.

If the smart contract is fake, it will be marked as unverified and there will be no metadata on it. If the smart contract is valid, you will see it marked as verified and it will have metadata explicitating the owner of the smart contract and other relevant things.

This is part of your own due diligence, and no smart contract audit will be of help in this situation.

Keeping your NFTs safe

In regards to the safety of the NFTs you have, they can be stolen, and you need to store them securely so as to avoid that happening. The main exploit in this case would be storing your NFTs on centralised NFT marketplaces. These platforms are server-based and keep your NFTs in one wallet. So, if the hacker breaks into your account, they will be able to transfer your NFTs to a different address. 

We saw that happening with the Nifty Gateway marketplace in March 2021. One of the platform’s users wrote on 14 March that someone had stolen his NFTs and bought over $10,000 worth of the NFTs dropped on the day using his funds. This case shows the exploitability of centralised marketplaces and the threats that their users can become victims of. 

This kind of threat does not have anything to do with smart contracts minting the NFTs but rather with the platform’s security. So, it will be safer to transfer your NFTs to your own wallet over which you have full control. 

The reentrancy attack

The reentrancy attack is a popular exploit that targets the fallback function of Ethereum contracts. In ERC-20 contracts, fallback functions send Ether; they execute transactions that cannot be executed by any other functions in a contract. Particularly, they execute the transactions which have no supplementary data.

To execute a reentrancy attack, first the attacker needs to map some Ethereum-based balance to their smart contract. Then, they can use the fallback function of their smart contract to call a «withdraw» command from the smart contract they want to withdraw from. If the smart contract the hacker targets executes the transfer before readjusting the balance, the hacker can repeat the «withdraw» command multiple times and deplete the contract.

With NFT smart contracts, the fallback function of an NFT contract can call «withdraw» from a different NFT contract to transfer its NFTs. The smart contract of the hacker will also need some balance mapped to it so that the targeted NFT smart contract can read it before executing the transfer. So, if a reentrancy attack works on an NFT, the seller will be the victim.

Reentrancy attacks basically exploit the order of the execution of functions in a smart contract. The most reliable way of protecting a smart contract against such attacks will be using the so-called checks-effect-interactions execution order that ensures that the function checks the balance first and only then transfers assets. This is something a smart contract audit can help with and what NFT marketplaces should always do before deploying their smart contracts.

Conclusion

NFTs are unique and cannot be counterfeited. Only a different smart contract can issue a look-alike NFT, which will be a different one and can be identified as such by the address of the smart contract minting it. This is something the buyer should pay attention to; smart contract audits have nothing to do with it.

Another risk is the danger of theft: NFTs can be stolen from centralised NFT marketplaces if the attacker manages to break into the account of its user. To avoid that happening, it will be safe to transfer your NFTs to a wallet you, not the marketplace, control. Also the marketplaces should take the security of the platform very seriously and follow strict protocols internally as well as take serious measures against outside attacks.

And lastly, it is still necessary to audit an NFT smart contract for being vulnerable to a reentrancy attack. This also relates to the marketplaces as their smart contracts massively dominate the NFT issuance.