Understanding Security Issues in the NFT Ecosystem

Non-Fungible Tokens (NFTs) have emerged as away to collect digital art aswell as an investment vehicle.Despite having beenpopularized only recently, NFTmarkets have witnessed several high-profile (and high-value) asset sales and a tremendous growth in trading volumes over the last year. Unfortunately, these marketplaces have not yet received much security scrutiny. Instead, most academic research has focusedonattacks against decentralizedfinance (DeFi) protocols and automated techniques to detect smart contract vulnerabilities. To the best of our knowledge, we are the first to study themarket dynamics and security issues of the multi-billion dollar NFT ecosystem. In this paper, we first present a systematic overview of how the NFT ecosystemworks, and we identify three major actors: marketplaces, external entities, and users. We then perform an in-depth analysis of the top 8marketplaces (ranked by transaction volume) to discover potential issues, many of which can lead to substantial financial losses. We also collected a large amount of asset and event data pertaining to the NFTs being traded in the examined marketplaces. We automatically analyze this data to understand how the entities external to the blockchain are able to interfere with NFT markets, leading to serious consequences, andquantify themalicious trading behaviors carried out by users under the cloak of anonymity.

[1]  Arthur Gervais,et al.  Quantifying Blockchain Extractable Value: How dark is the forest? , 2021, 2022 IEEE Symposium on Security and Privacy (SP).

[2]  Ye Liu,et al.  ContractFuzzer: Fuzzing Smart Contracts for Vulnerability Detection , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[3]  Neil Gandal,et al.  Price Manipulation in the Bitcoin Ecosystem , 2017 .

[4]  Jeremy Clark,et al.  SoK: Transparent Dishonesty: Front-Running Attacks on Blockchain , 2019, Financial Cryptography Workshops.

[5]  Ari Juels,et al.  Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges , 2019, ArXiv.

[6]  J. Kamps,et al.  To the moon: defining and detecting cryptocurrency pump-and-dumps , 2018, Crime Science.

[7]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[8]  Giovanni Vigna,et al.  SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds , 2021, 2022 IEEE Symposium on Security and Privacy (SP).

[9]  Jun Sun,et al.  sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart Contracts , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[10]  Xiapu Luo,et al.  As Strong As Its Weakest Link: How to Break Blockchain DApps at RPC Service , 2021, NDSS.

[11]  Benjamin Livshits,et al.  Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit , 2020, Financial Cryptography.

[12]  Benjamin Livshits,et al.  On the Just-In-Time Discovery of Profit-Generating Transactions in DeFi Protocols , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[13]  Thorsten Holz,et al.  ETHBMC: A Bounded Model Checker for Smart Contracts , 2020, USENIX Security Symposium.

[14]  Yannis Smaragdakis,et al.  MadMax: surviving out-of-gas conditions in Ethereum smart contracts , 2018, Proc. ACM Program. Lang..

[15]  Petar Tsankov,et al.  Securify: Practical Security Analysis of Smart Contracts , 2018, CCS.

[16]  Sukrit Kalra,et al.  ZEUS: Analyzing Safety of Smart Contracts , 2018, NDSS.

[17]  Arthur Gervais,et al.  High-Frequency Trading on Decentralized On-Chain Exchanges , 2020, 2021 IEEE Symposium on Security and Privacy (SP).

[18]  Detecting shill bidding in online English auctions , 2009 .

[19]  Ghassan O. Karame,et al.  Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks , 2018, NDSS.

[20]  Yinqian Zhang,et al.  TXSPECTOR: Uncovering Attacks in Ethereum from Transactions , 2020, USENIX Security Symposium.

[21]  Ittai Abraham,et al.  Online detection of effectively callback free objects with applications to smart contracts , 2017, Proc. ACM Program. Lang..

[22]  Yuxing Tang,et al.  SODA: A Generic Online Detection Framework for Smart Contracts , 2020, NDSS.

[23]  Andrea Marie Weintraud,et al.  Detecting and Quantifying Wash Trading on Decentralized Cryptocurrency Exchanges , 2021, WWW.

[24]  Benjamin Livshits,et al.  The Anatomy of a Cryptocurrency Pump-and-Dump Scheme , 2018, USENIX Security Symposium.