The notion of non-fungible tokens (NFTs) has become one of the most popular topics in news and discourse over the past year. At their core, NFTs operate as a class of digital assets that are minted, sold, bought, and traded on the blockchain via an NFT marketplace. Each NFT comes integrated with a unique signature to verify its authenticity and uniqueness, as well as its chain of ownership, meaning that these assets (much like the cryptocurrencies they are bought with) are noninterchangeable.
However, no technology is inherently secure or infallible. Because NFTs are still a relatively new innovation, there are a number of risks associated with their creation, use, and trade. In this article, we’ll explore the cybersecurity issues surrounding NFTs and what we can do to address them.
The Downsides of Integrated Personally Identifiable Information
Much of what has made NFTs so popular as a newly emerging digital asset class are, in many cases, the same features that pose cybersecurity issues to them. For example, because each NFT and its chain of ownership can be verified via a unique identifier integrated into its code, a feature that draws many to NFTs, this means that many NFTs tend to contain an amount of personally identifiable information, or PII.
Since NFTs are a digital asset tied to the blockchain, which prevents stored data from being deleted or altered, their nature inherently counteracts with laws such as the California Consumer Privacy Act (CCPA) which allows individuals to delete or correct their personal information under certain circumstances. Furthermore, because laws such as these require users to be notified in the event of their PII being affected by a data breach, the breach of an NFT marketplace or theft of NFTs in it is bound to notify users of this. Yet, should hackers remove an NFT from a marketplace or website they breach, admins may not be able to ascertain whether or not any stolen NFTs contain PII, hindering the ability of users to regain control over their PII or even ownership over the NFTs they’ve purchased.
Additionally, once an NFT is minted or purchased, each individual NFT is stored within a digital wallet—typically the same one storing the cryptocurrency used to purchase them—which is accessed through a private key, akin to a traditional password. Should hackers obtain access to this key, they effectively become the owner of a user’s NFTs, especially if they transfer the NFT to a different marketplace. Since the original marketplace will see the “owner” (i.e., hacker) of the NFT transferred it to a new marketplace, this data becomes integrated into the blockchain, making it all but impossible for the true owner to verify authenticity. These examples, along with other recent scams involving cryptocurrency, make NFTs one of the currently most popular avenues for malicious actors to conduct identity fraud.
Complications with “Smart Contracts”
Another cybersecurity issue facing NFTs is due to their description as containing smart contracts. Unlike other smart contracts, which allow us to exchange or transfer assets without involving a middleman, when used with NFTs, the term does not equate to an offer being made, considered, or accepted; rather, it equates to the collection of digital data from a specific address in the blockchain. The inclusion of smart contracts within NFTs presents additional benefits as well as cybersecurity risks.
For instance, smart contracts allow NFTs to be authenticated as an original asset, granting users the ability to verify and track the asset’s ownership on the blockchain. Smart contracts integrated into NFTs also allow for the original creator of an NFT to integrate a clause into those contracts, allowing the creator to be paid a portion of royalties off of each future sale of the asset. As an example, digital artist Beeple included such a clause with his NFT collection, Everydays: The First 500 Days, which sold via auction at Christie’s for over $69 million last year, allowing him 10% in royalties from each sale.
Once these NFTs are moved off of their original marketplace, however, they—along with their integrated smart contract and chain of ownership—practically become impossible to track. In this event, there is essentially no legal binding for future purchasers to pay the original creator a portion of the sale made in royalties. An example of this occurred in 2017 with the original release of NFT digital art collection CryptoPunks, when a bug prevented the transfer of Ethereum cryptocurrency into sellers’ digital wallets. This prompted some attackers to purchase CryptoPunk NFTs and retrieve their Ethereum used for the purchase from the integrated contract, forcing CryptoPunks to relaunch with an updated and entirely new smart contract.
As with any newly emerging technology, the potential boons and risks associated with NFTs are still being scrutinized. While NFTs serve as the next evolution of digital assets that can be more easily controlled through the blockchain, lacking security measures and features can put NFTs, their creators, and those who purchase them at risk, pushing back the timeline for their broader adoption in other industries and consumer markets.
To add to this issue, there are currently no laws in effect that directly address or impact NFTs, their creation, sale, or transfer. Under U.S. law, if an NFT is considered “art,” then it can be resold or transferred practically at will without the reseller worrying about violating the terms of a smart contract. Although, if an NFT is considered as “software” and its smart contract terms are legally viewed as an end-user license agreement, this could constrict the ability for it to be resold. Until courts (and the greater legal system, in general) decide to tackle this issue, many risks regarding the verification of NFT ownership will likely continue.