Security Secrets of NFTs According to NIST

Introduction

In the realm of blockchain technology, Non-Fungible Tokens (NFTs) have emerged as a revolutionary asset class, offering unique digital ownership experiences. However, with innovation comes the imperative need for security.

The NIST Internal Report on NFT Security delves deep into the intricacies of safeguarding these digital assets.

Let’s embark on a journey through the key elements of this insightful report, unraveling the essential security considerations for NFTs.

Understanding NFTs

Non-fungible token (NFT) technology enables the sale and exchange of real assets, both virtual and physical, on a blockchain by creating unique blockchain tokens for each asset. These tokens are managed by blockchain smart contracts, facilitating secure transfers between blockchain accounts.

NFT ownership verification is straightforward due to the strong cryptographic foundation of this architecture. NFTs are commonly used for various purposes like photography, digital art, trading cards, and music.

Typically, buyers purchase the right to “autograph” a digital asset with a blockchain ledger entry, although ownership rights are not always transferred. NFTs may eventually support secure records of physical asset sales and have utilitarian uses like voting rights and memberships.

The NFT market experienced significant growth in 2021, reaching $18 billion, with notable high-priced transactions. The publication evaluates NFT technology, focusing on smart contract representation, sales, and associated blockchain aspects, identifying 27 potential security concerns.

Legal issues related to NFTs, such as ownership rights and copyright, are complex and evolving, with legal precedent yet to be fully established. The publication provides a descriptive definition of NFTs, outlines their properties, and discusses security considerations. Legal discussions are excluded from the paper, which primarily concentrates on the technological aspects of NFTs, emphasizing security concerns and the need for secure NFT implementations.

Background on Blockchain and Tokens

Blockchains are described as tamper-evident and tamper-resistant digital ledgers that operate in a distributed manner without a central authority. They consist of distributed digital ledgers of cryptographically signed transactions grouped into blocks, with each block cryptographically linked to the previous one to ensure tamper resistance.

Smart contracts, as defined by NIST IR 8202, are collections of code and data deployed on the blockchain network through cryptographically signed transactions. These programs run on a blockchain, processing transactions and recording state while benefiting from the blockchain’s cryptographic security.

Tokens, in the context of cryptocurrencies, are digital records representing assets managed by smart contracts and stored on a blockchain. They are not typically transferable between smart contracts, being tied to specific blockchain smart contract addresses. Tokens can represent various assets like cryptocurrency or digital artwork.

There are two types of tokens: fungible and non-fungible.

• Non-fungible tokens (NFTs) are unique and not interchangeable, representing assets like digital art. Fungible tokens are identical and interchangeable, often used for cryptocurrencies managed by smart contracts like stablecoins.
• Fungible tokens are commonly represented using standards like ERC-20 on Ethereum or similar standards on other blockchains.

NFT Properties and Security Considerations

The report identifies 11 key properties of NFTs, including recorded, owned, transferable, and unique.

The document discusses various aspects of Non-Fungible Token (NFT) security, focusing on potential vulnerabilities and considerations related to NFT properties and management. Here are the key points summarized:

1. Asset Linkage and Security Concerns:
   • Issues can arise if the public table maintaining asset URLs fails or is tampered with, leading to delinking of NFTs from their assets.
   • Attackers could manipulate the public link table to swap valuable NFT assets with cheaper ones or delink NFT owners from their assets without changing the blockchain or smart contract.
2. Physical NFTs and Legal Considerations:
   • Physical NFTs link to physical assets using unique identifiers physically attached to the object, raising legal questions around establishing linkages to prevent fraud
   • Blockchain-Provided Properties:
   • Recorded: NFT state recorded on a blockchain provides benefits like provenance, permanence, and immutability.
   • Provenance: Blockchains track token ownership history, aiding in validating token authenticity.
   • Permanence: Blockchain’s decentralized storage ensures near-permanent data recording, with exceptions like burning NFTs or self-destructing smart contracts.
   • Immutable: Blockchains aim for immutability, but vulnerabilities in smart contracts could potentially alter NFT data records.
3. Human Management-Provided Properties:
   • Unique: NFT smart contracts ensure uniqueness of data records, but multiple NFTs can be linked to the same asset.
   • Authentic: Purchasers rely on smart contracts and NFT marketplaces to ensure authenticity of linked assets.
   • Authorized: Smart contracts restrict NFT sale to current owners, but legal authorization for selling linked assets is a separate issue.

These points highlight the importance of addressing security concerns, legal implications, and technical considerations in the design and implementation of NFTs to ensure a robust and trustworthy ecosystem.

Potential Security Concerns

The section highlights 27 potential security concerns related to NFT ownership and smart contract management, categorized by NFT property:

1. Owned:
   • NFT purchasers may be misled into thinking they are buying an asset when they are acquiring a smart contract data record.
   • Smart contracts could create tokens linked to assets without legal authority.
   • Compromised blockchain accounts could lead to malicious actors transferring NFTs to their addresses.
   • Stolen tokens may be sold immediately by malicious actors, making restoration difficult.
2. Transferable:
   • Lack of mechanisms to restore stolen tokens to rightful owners.
   • Smart contracts enabling managers to manipulate tokens.
   • Coding errors in smart contracts enabling token theft.
3. Indivisible:
   • Fractional ownership introduces additional vulnerabilities.
   • Owners of fractional shares may not be aware of potential forced buyouts.
4. Linked:
   • Inaccurately stored metadata can delink NFTs from assets, rendering them worthless.
   • Server errors leading to unavailability of digital assets can delink NFTs.
   • Compromised off-blockchain tables could delink NFTs from assets.
5. Recorded:
   • NFT owners may not realize their account information is public on the blockchain.
   • Blockchain accounts can be de-anonymized through personally identifying information.
6. Provenance:
   • Possibility of attacks altering blockchain history.
7. Permanence:
   • Accidental or malicious burning of NFTs.
   • Self-destructing smart contracts destroying managed NFTs.
8. Immutable:
   • Vulnerabilities in smart contract code enabling data record changes.
   • Blockchain changes or splits leading to duplication of NFT contracts.
9. Unique:
   • Lack of awareness regarding multiple sales of the same NFT.
   • Simultaneous sale of the same asset by multiple NFT exchanges.
10. Authentic:
    • Possibility of selling forged assets linked to NFTs.
11. Authorized:
    • Sellers may not be authorized to sell NFTs linked to specific assets.
    • Buyers may not receive the expected rights over linked assets when purchasing NFTs.

Notable NFT Standards

NFT standards are essential for defining unique tokens in the cryptocurrency space, allowing for easy adoption by exchanges, smart contracts, and user wallets. These standards are typically represented in code form with mandatory functions and are community-driven rather than associated with formal standards bodies. Ethereum Request for Comment (ERC) standards, such as ERC-20 and ERC-721, serve as the basis for token management across various blockchain platforms.

• ERC-20: This standard defines fungible tokens with interchangeable properties. It includes functions for token transfers, approvals, and event emissions for transparency.
• ERC-721: In contrast, ERC-721 focuses on non-fungible tokens, each representing a unique asset. It includes functions for token ownership, approvals, and safe transfers to ensure compatibility with recipient contracts.

Additionally, there are other NFT standards like ERC-1155, ERC-2309, ERC-4400, and ERC-4907, each offering unique functionalities such as managing multiple token types, consecutive token transfers, consumer roles, and rental NFTs, respectively. These standards play a crucial role in shaping the NFT ecosystem and ensuring interoperability across different platforms and use cases.

NFT Marketplaces

NFT marketplaces serve as platforms where users can engage in buying, selling, and creating NFTs. These marketplaces, which emerged around 2017, play a crucial role in the NFT ecosystem by facilitating transactions and interactions with digital assets. While the security analysis of NFT marketplaces is beyond the scope of the publication, it is noted that these platforms have a distinct attack surface separate from NFT smart contracts, making them potential targets for hacking activities.

Users can acquire NFTs through direct purchases, auctions, or offers within these marketplaces. Depending on the marketplace’s approach, users may need their cryptocurrency wallets in decentralized finance (DeFi) models or utilize custodial wallets provided by the exchange in centralized finance (CeFi) models. In DeFi, users hold their cryptographic keys, granting ownership of NFTs, while in CeFi, the exchange acts as a custodian, holding users’ NFTs on their behalf.

Both DeFi and CeFi models present security challenges, as malicious entities could compromise user-owned wallets or custodial systems, leading to potential asset loss. While there is no guaranteed security for crypto assets, users are advised to secure their wallets diligently. NFT marketplaces typically accept cryptocurrency as the primary form of payment due to smart contracts managing NFT data and the regulatory complexities associated with fiat currencies. Maintaining a decentralized model is a priority for many marketplaces, even though some may offer traditional payment methods with additional processing fees.

Conclusion

In conclusion, the NIST report underscores the significance of robust security practices in the NFT space. By adopting a systematic security approach and addressing potential concerns upfront, the integrity and trustworthiness of NFTs can be preserved.

While further research is warranted, the report affirms the resilience of NFT technology when coupled with stringent security measures.