While securing a non-fungible token (NFT) might sound like a good idea, doing so comes with cybersecurity risks for buyers. Anyone getting into this alternative investment type should understand the cyberthreats they’re up against.
A reentrancy attack exploits a vulnerability to force smart contracts into infinite loops. Since these self-executing agreements execute imperatively — meaning
If the called contract is malicious, it can make recursive callbacks. Since the caller must pause its code execution until its call returns, it’s forced to execute the original line of code repeatedly without updating its balance. Bad actors can exploit this function to steal NFTs within moments, potentially allowing their attack to go unnoticed initially.
Since NFTs are unregulated and decentralized, owners must rely on others in the community for help. Many who experience technical issues they can’t figure out go to Discord, Reddit, or Telegram for assistance. Unfortunately, some individuals on those platforms are there for the wrong reasons. They take advantage of people’s trust and lack of knowledge to steal their assets.
Centralized platforms can be hacked like any other third-party marketplace, making them significant cybersecurity risks for NFT buyers. Although
Marketplace hacks have happened before and will likely happen again. For instance, a hacker
A denial of service attack is among the most significant cybersecurity risks for NFT buyers. It involves an attacker using recursive callbacks to block smart contracts from returning to the state they were in before the transaction began to execute. This results in unlimited resource usage and permanently blocks the function.
In a rug-pull scam, a bad actor convinces others they’ll get a great return on investment if they buy into a certain stock, cryptocurrency, or NFT project. Once they get enough people to fund their idea, they disappear. This type of con has happened multiple times in this community because it’s unregulated.
In 2022, Ethan Nguyen and Andre Llacuna created Frosties, an ice-cream-themed NFT collection. Reportedly, they
Although the two men were later arrested for fraud and money laundering, the people who had bought into Frosties were still out their hard-earned money — and their NFTs were virtually worthless. Rug-pull scams are common, even if most aren’t as lucrative. If an investment sounds too good to be true, it probably is.
When smart contracts access or receive data from an outside source via an oracle — a third-party service that connects the blockchain to external systems — they become vulnerable to hacks. An attacker can forcibly trigger transactions to steal an NFT before the owner realizes something is wrong.
Scammers can easily plagiarize or steal artwork. Their item’s URL and wallet address won’t align with the original, but it may still be convincing enough. People who think they’ll never fall for such a thing are mistaken — even the most widely used platforms are full of fakes. In 2022, OpenSea announced
In a two-part phishing attack, an attacker takes over a social media account by tricking a well-known figure in the industry to click on a malicious link or attachment. When they gain control, they post about a limited-time deal or a live drop alongside a second malicious link. A large percentage of followers will likely believe it’s legitimate.
As soon as they click on the link, the attacker can view their credit card information as they type it in, take over their social media account, or empty every NFT from their digital wallet. In the worst-case scenario, all three possibilities occur — meaning no one can comment on the post warning others that it’s a phishing attack.
Fraudulent marketplaces are either fake and made to look real or are convincing copies of legitimate platforms. Since
A pump-and-dump scam is one of the biggest cybersecurity risks for NFT buyers. It involves a bad actor artificially inflating their collection’s value. They make it look like a great investment, prompting real people to buy into it. From there, the value increases exponentially — but only temporarily. Once it peaks, they suddenly sell everything, rendering the rest valueless.
Since NFT digital wallets are supposed to store assets, any vulnerabilities can put an owner’s entire collection at risk. Unfortunately, they’re not as secure as many people think. For instance, web-based versions connected to the internet are vulnerable to man-in-the-middle attacks. Those on mobile devices can also be hacked.
Whether a digital wallet stores tokens or holds a private key that gives the owner access to their items on the blockchain, it serves as their last line of defense. Unless they keep their app updated, stay off public Wi-Fi, and keep their device in their possession, hackers can exploit vulnerabilities and steal their collection.
There are tons of cybersecurity risks for NFT buyers — especially those who are new to the community and don’t know the common cyberthreats. They must remain vigilant and wary of anything they’ve never encountered to protect their digital wallet and personal data.