Scams like rug pulls are widely discussed in the NFT space. However, there are other ways that users can be exploited that deserve attention. Smart contracts that run on blockchain technology are typically considered more difficult to take advantage of, as they have a smaller attack surface than web applications. However, since we need a web application to access smart contract functionality, security issues in these areas could lead to an exploit.
Put plainly, to access your NFTs and crypto, you still need to go on the internet and buy or sell these assets via a website like any other. And any security gaps in such front-end apps may be used against users.
Sadly, hackers have been exploiting one particular gap to hijack digital assets without exploiting the smart contract itself. Specifically, criminals hack the front-end application of a particular decentralized application and issue requests to trick the user into signing a fraudulent transaction. Such requests are exceptionally difficult to identify, as they often appear native and safe at first glance, mimicking the style and language of the platform.
However, the requests are actually foreign to the website and controlled by the fraudsters themselves. The result? Once a user signs the transaction, the attacker can redeem certain assets from the wallet.
It is important to note that this exploit doesn’t give the hacker unconditional control of the wallet. If NFTs from one collection are stolen, an additional fraudulent transaction might be needed to steal NFTs from a different collection. Still, this raises an important question: Whose responsibility it is to protect your digital assets? Here, we try to answer this by looking at each party involved — wallets, platforms, and users — and provide tips regarding ways that such exploits could be prevented.
1. Cautious communication in personal token wallets
Crypto wallets used to hold digital assets have many layers of protection that are intended to prevent anyone — except the person that they belong to — from accessing them. However, by focusing on the security gaps of front-end apps, hackers are able to bypass the aforementioned safeguards without ever knowing any passwords. This may result in multiple users losing control over their NFTs at the same time.
To prevent this, wallets such as Metamask could display more thought-out warning messages for common types of interactions.
Currently, only neutral information describing transaction approval is shown. Instead, a cautious message indicating that a user may transfer access to a given asset (or a collection of assets) could be shown as an alert. This way, one would be prompted to consider things twice before signing any transaction that may give someone control of any NFTs.
2. Including fraud prevention information in knowledge bases
Marketplaces trading digital assets could define and communicate their interaction scope more clearly, as well as include a section on potential hacker entry points in their knowledge base. They could list and publish examples of contract interactions that they might initiate (e.g. “I am OpenSea at opensea.io. I will only call this contract with these parameters).
Likewise, providers, such as MetaMask, could refuse any non-standard transactions. That way, in most cases, a client-side breach wouldn’t be enough for an attack to be successful.
3. How users can minimize risk
The most simple, yet incredibly crucial, step a user engaged in the NFT space can take is to closely review the transaction details before approving anything. This of it in the same way we review bank transactions.
Yet another thing to consider is having a number of wallets to diversify the risk or even using different wallets to interact with different platforms. If a user allocated their digital assets across different wallets, even if one is compromised, other wallets will remain safe.
Unfortunately, in the end, there is no 100 percent foolproof solution to keeping the scammers at bay. But these tips, if deployed properly, could prevent a number of exploits from taking place. And while better solutions are on the horizon — platforms such as Premint claim there may be a new and bright future once the new version of the Web is fully integrated — Web3 is likely to carry over some of the security gaps that the Web 2.0 we use today embodies. While there is no silver bullet to discourage hackers, being more mindful of the threats as well as steps to increase security would result in an overall less vulnerable market.
Indrė Viltrakytė is the co-founder and CEO of the Web3 fashion venture The Rebels. With 10+ years of experience working with IRL fashion brands, Indrė is currently focused on leveraging her long-time industry knowledge to bridge the gap between digital and physical fashion in the metaverse.