Non-fungible tokens (NFTs) are a creative way to prove ownership of digital files. Because NFTs have unique metadata codes stored on the blockchain, each is a one-of-a-kind digital asset with astronomical value potential. For example, 26,000 collectors bought The Merge, a Pak NFT, for $98.1 million in December 2021. That incredible transaction reflects a trend, not an anomaly — the NFT market surpassed US$40 billion by the end of 2021.
But it would be unwise to ignore the risks involved with NFTs. NFTs are a lucrative investment, but they are vulnerable to increasingly savvy attacks. Many NFTs simply contain a URL that points to where the actual data is stored, often on a centralized server susceptible to hacking. To combat the explosion of NFT scams and the negativity in the media, NFT data needs to be stored on-chain.
Why NFTs are vulnerable to hacks
Nearly a year ago, hackers attacked Nifty Gateway, one of the most trusted NFT marketplaces in the industry. Attackers targeted Nifty Gateway accounts that lacked two-factor authorization, stealing thousands of dollars worth of NFTs. The hackers transferred NFT ownership to their holdings, preventing the legitimate owners from recovering their digital assets.
NFT scammers and hackers have become more effective between that shocking attack and now. The Nifty Gateway digital art heist cost collectors and creators thousands of dollars. More recent attacks have cost hundreds of thousands of dollars. As the NFT market grows, the cost of scams and attacks on NFT marketplaces will grow with it.
Last month, attackers stole 245 tokens worth US$1.7 million from OpenSea, another NFT marketplace. Attackers used smart contracts to transfer ownership from the legitimate NFT OpenSea users to their own accounts. Because the attack targets already signed the contracts, the thefts became authorized transfers on the blockchain. Once again, the original NFT owners may not be able to recover possession.
If blockchain technology supports NFTs, why are NFTs so vulnerable?
Crypto enthusiasts evangelize the blockchain’s inherent security because data already entered into a block cannot be altered or deleted. In other words, once a transaction is recorded on the ledger by smart contract or otherwise, it is permanently and publicly visible. Blockchain technology should prove NFT ownership. So how is it even possible for a hacker to steal an NFT?
A digital asset becomes an NFT when a miner adds its identifier into the blockchain. This is called “minting.” A digital image is not truly an NFT until this process occurs. But minting an NFT on the blockchain expends a tremendous amount of energy. Miners charge a one-time, upfront “gas” fee to compensate for the cost. Gas fees fluctuate and are based on a percentage of an NFT’s initial and secondary sale price, which can be between 3 to 15%.
Storing NFT data on-chain is expensive, which is why many NFT mints don’t do it. But the future of investing is in digital assets, and minting NFTs on-chain may be worth the cost to maximize security.
How being on-chain can protect NFTs
Imagine buying an NFT, using it as your profile picture, and then suddenly discovering that it’s vanished. Where did it go? The marketplace where you purchased the image closed down or removed it from their site. If you didn’t pay miners to mint your NFT, it lives at the marketplace’s mercy.
There are a few reasons for NFT-related security issues, none more impactful than using centralized platforms like OpenSea or Nifty Gateway. To interact with the digital image, creators and collectors buy and sell NFTs on these digital marketplaces because what’s stored on the blockchain is typically just the image’s identifier — like its address on the blockchain or a hash of the image — not the actual image file.
Many centralized platforms store digital assets that only mint when purchased. Known as “lazy minting,” this approach makes NFTs more affordable for creators. At the same time, it puts their digital assets at tremendous risk of theft. An NFT’s real value comes from its assimilation into the blockchain. Creators who submit their NFTs without minting submit unprotected digital files enabling threat actors to upload and timestamp a digital file to Ethereum or another processing public protocol.
In addition to threatening digital artists’ collections, lazy minting exacerbates plagiarism issues for traditional artists. NFT marketplaces that allow lazy minting are playgrounds for scammers, who can steal digital art from online galleries, websites, and social media accounts — and then create dozens of plagiarized NFTs waiting for someone to buy one. NFTs have tremendous potential to protect art ownership, but lazy minting is entirely counterintuitive to this goal.
Yes, there are benefits to lazy minting. It’s initially more affordable for creators because it reduces the upfront cost of creating NFTs. It also solves the frustrating problem of paying high gas fees for NFTs no one buys. That said, the savings may be a drop in the bucket compared to the losses a creator can face if a hacker steals a valuable digital asset before they add its data to the blockchain. In other words, the upfront costs of storing as much NFT data on-chain as possible are worth it, especially from a security standpoint to ensure the provenance of master ownership rights.