Hackers decamped with a whopping $12 billion worth of non-fungible tokens (NFTs) in 2021, a staggering blow to the nascent DeFi industry struggling to bolster its cybersecurity, says a recent report.
The report, prepared by London-based blockchain analytics firm Elliptic, highlights the trends involving NFT frauds, from price manipulation and money laundering to DeFi hacks, across geographies.
The document, titled ‘NFT Report 2022’, released on August 26, 2022, points to the dangers lurking in the DeFi world and advises people how they could exercise caution while doing crypto transactions.
“There is always potential for a malicious individual to identify a loophole, vulnerability or faulty function within the layers of code necessary for a DeFi platform to run effectively. Therefore auditing a code before it interacts with users’ funds is considered a good practice,” it stressed.
The DeFi protocols include NFT marketplaces and projects that use smart contracts, which auto-execute agreements based on predefined conditions. The report said that NFT-based DeFi services aren’t immune to hacking attacks and “on occasions been at the forefront of attacked services.”
A prime example of this could be the attack on Axie Infinity, a NFT-based DeFi gaming application, in which North Korea-based hackers group Lazarus stole around $540 million worth of cryptos.
The Axie Ronin bridge hack is the world’s second-largest such attack by value.
In November 2021, Elliptic estimated that the total value locked in DeFi was $247 billion.
NFT DeFi Hacking Trends
The report showed that between 2020 and 2021, the industry lost $260 million from private key thefts across the NFT and NFT-DeFi protocols.
DeFi platforms still provide certain rights to developers to alter their smart contract codes to ensure “vulnerabilities are patched effectively without waiting for approval by a consensus of users,” it said. Such developer privileges are abused by hackers to conduct rug pull scams and large withdrawals.
The report observed that hackers obtain developers’ private keys “through social engineering efforts,” in which they inadvertently reveal the keys to criminals. As part of this modus operandi, hackers contact the victims on social media under a false pretence to steal their confidential information.
NFT projects usually initiate airdrops to create hype or increase the prices of NFTs. They do this by taking a snapshot of the tokens at a given time before distributing the rewards. The process is called airdrop as the developers drop the rewards for free based on certain criteria.
“Depending on how they (airdrops) are coded or organised, exploiters may find ways to participate in airdrops to which they are not entitled or claim more tokens/NFTs than intended. Botched airdrops are common across the wider crypto asset space and are not limited to NFTs,” the report said.
Citing an example, the report said that the airdrop of Bored Ape Yacht Club NFT collection led to a loss of $1.1 million in a single transaction.
NFT Marketplace Code Exploits
NFT marketplaces are of two types: centralised and decentralised. The centralised marketplaces store NFTs and ownership information “off-chain unless a user seeks a withdrawal.” In off-chain transactions, the data is stored in a private address, not visible to other members of the blockchain.
On the other hand, decentralised marketplaces are governed by smart contracts and are prone to code exploits. The report said that NFTs stored in escrow by marketplaces could be at risk, such as unintentional listings, transfers or purchases.
Application Protocol Interface (API) Exploits
The NFT platforms interact with their respective blockchains through smart contracts. However, most of them have a user-friendly no-code-front-end interface to provide users ease of transactions. The interactions between front-end and backend interfaces could enable NFT transactions.
The report noted that the delay in communications between front-end and backend interfaces could cause malfunctioning of an NFT platform. The report said that the API exploit of NFT marketplace OpenSea in January 2022 is a case in point.