Discover how secure are NFTs and what security measures you can take to make your investment safer.
A popular way to earn crypto and be a part of the blockchain is to own an NFT. This trend of collecting, minting, selling, and purchasing digital assets or non-fungible tokens (NFTs) is still in its infancy, so many people are wondering how secure are the NFTs.
If you are looking for the best information on the possible risks and a way to protect your collections, you are in the right place.
How Secure Are NFTs?
NFTs as digital assets are considered a safe investment, but like any digital asset or crypto, they’re susceptible to scams, hacks and loss through user error.
When the NFTs were created in 2012 on the Bitcoin blockchain, there was a challenge in storing the images online due to storage limitations. This limit was one of the reasons NFTs were stored as web addresses or hash that would serve as identifiers to the image
So, an owner of the NFT is not buying the actual image but rather an identifier that leads to an URL online or to the Interplanetary File System (IPFS).
Read our guide: What is IPFS?
In 2017, NFTs like the CryptoPunks began minting on the Ethereum blockchain using the ERC-721 token was invented. While this was good news for the expansion of the NFTs, it’s brought up many security questions like hackers, bugs, rug pulls, and wallet security.
Read our NFT timeline
What Are the Main Risks Associated With NFTs?
NFTs are data units stored online, but unlike other cryptocurrencies, they are non-fungible, meaning they can’t be interchangeable.
While the NFTs can’t be replicated and have one owner at a time, they are a few examples of security issues that occurred in the past, and even Crypto Punks, as one of the most established NFTs, had some bugs in 2017, as evidenced when NFT historians unearthed CryptoPunks version one in early 2022.
Here are some of the main risks associated with NFTs to look out for:
It might sound impossible, but even with high-security options and modern technology NFTs can still disappear. For example, the 3LAU music album sold for millions of dollars as NFT on NiftyGateway.
While you can still find a copy of the album file, the NFT of this digital asset is only available via a centralized served… and not as an NFT. In other words, is this server goes offline, the NFT disappears.
NFTs can go missing for various reasons, including a faulty link from the smart contract to the asset. In addition, the NFT can be stored on a centralized provider such as Cloudinary, so if the company shuts down, all the NFTs will become unavailable.
Rug pulls are a popular and malicious ways to scam NFT enthusiasts.
The problem with rug pulls is the appearance of the fantastic project that most investors are looking forward to being a part of. Creators then “pull a rug” and disappear with the money without giving the promised art.
Considering that the NFT can be just a link to a URL, whatever is stored on the said URL can be changed. One of the most famous and recent scams and rug pulls happened when the artist Neitherconfirm intended to show how simple it is to manipulate investors and the art generated and sold as NFTs.
Read our guide explaining what is a rugpull in NFTs?
Smart Contract Vulnerabilities
A smart contract governs each NFT. These contracts are essentially little code containers in which developers may create micro-apps. This allows for things like royalty payments, but the code within may be anything, including deceptive frauds or malware.
Even the famous Meebit collection of 3D digital avatars had a problem with malicious attacks and smart contract problems. The hacker manipulated the smart contract, and rerolled 365 times until they minted the much rarer Meebit #16647. The hacker then sold this NFT for a $700,000.
NFTs are minted, sold, and bought on platforms such as OpenSea and Nifty Gateway. If the platform’s security is compromised, a hacker can potentially exploit the person’s wallet and steal an NFT
While platforms invest a lot in cyber security, in March 2021 several accounts were compromised on Nifty Gateway, and the attackers got hold of several NFTs and sold them for a profit. While the Nifty Gateway team returned the money to damaged users, the NFTs were never recovered.
In addition, many users are not being too careful with password strength, 2-Step Verification, or clicking on suspicious links that can lead to wallet insecurity and complete loss of the NFT collections.
If you’re minting an NFT, connect your wallet to a website and sign the wrong type of contract, a hacker can potentially exploit the smart contract and drain the MetaMask or software wallet of funds an NFTS. For this reason, it’s safer to use one wallet for minting and another wallet for cold storage.
Hackers and scammers regularly target popular Discord communities. Examples of hacked Discords include Anonymice, Doodles, and Azuki. When a scammer gains access to a Discord, they can post suspect announcements about mints and encourage users to connect to their wallets. Owners can then find their wallet is drained of funds if they approve the subsequent smart contract. Or they may simply lose some Eth by minting a dubious NFT,
NFT Security Tips
Blockchain technology might be advanced, but it’s still risky to own and trade cryptocurrencies and NFTs. Most of the time, the users will have a fantastic experience, and the majority of NFTs have never been compromised.
But, considering the popularity of the non-fungible tokens, it’s a good idea to get familiar with a few tips and tricks to safeguard your assets. Here are a couple of suggestions:
Don’t share your seedphrase: Your passwords and recovery phrases need to be strong and kept safe from everyone. If you get an offer to disclose your information in return for any amount of crypto or NFTs, consider it a red flag and block the sender. Never get on a call or share your screen with anyone professing to represent support either.
Watch for wallet hacks: If you store your assets in an NFT wallet, download a wallet browser extension from the provider’s website. Check the reviews and developer information before installing an app to ensure you’re not receiving a scam.
Don’t click on broken or suspicious links: Avoid being scammed by offers and links sent via Twitter, Discord, or email. This is one of the easiest ways to allow hackers access to all of the information they need.
Use Two-Factor Authentication (2FA): One of the easiest and safest ways to manage your accounts and wallets is to set up two-factor authentication. This way, you can use the Google Authenticator app on your phone for an extra layer of security.
Revoke smart contract approvals: You can easily manage your spending limits and approve transactions this way. It’s a safe way to ensure your assets are not spent without your permission. Use a site like Revoke.cash regularly to deauthorize web 3.0 tokens and sites.
Use multiple NFT wallets: It is good practice to use one wallet for minting NFTs and another wallet for cold storage. The cold storage wallet should always involve a hardware device like a Ledger or a Trezor. NFT buyers can also divvy up their NFTs between different wallets and addresses to complicate things for a would-be hacker.