The Security of Marketplaces for NFTs

There’s a buzz around NFTs, and for the first time in history, we can create a digital proof of the ownership, copyright or creator of an…

The Security of Marketplaces for NFTs

There’s a buzz around NFTs, and for the first time in history, we can create a digital proof of the ownership, copyright or creator of an artefact using a cryptographically signed token. Basically, it’s all part of the tokenization of data, and where data now covers physical assets.

And so, I’ve been reading this paper, and which tries to understand the key security risks in using NFTs:

For this, they analysed the eight top NFT marketplaces, including OpenSea, Axie, CryptoPunks, and Rarible. We can see that OpenSea is by far the largest in training volume, the number of assets and the number of events:

The OpenSea site is currently [here]:

In terms of the largest sales, we see that Beeple’s and CryptoPunks are top sellers, along with Tim-Bernes Lee’s original Web code:

NFT Market Place Risks

Das et al [1] define an overview of the NFT marketplace (Figure 1). This defines three key roles of: Content Creator; Seller; and Buyer. We initially start with the Content Creator uploading their artefact to a hosting service, and who then authorizes a Seller. The Seller then lists the artefact on the Marketplace (dApp), and which enables a smart contract to implement the sale. Initially, there will be a minting of the NFT onto a blockchain. This sale will transfer the ownership of the NFT associated with the artefact to the winner of the bid (through a token transfer within the smart contract). The Buyer then fetches the asset and the token.

Figure 1: Overview

Overall the research paper analyses eight of the top NFT market places, and list their risks. These are outlined in Figure 2, and where “N” represents not applicable, “O” is optional, “P” is partial, and “M” is mandatory.

Figure 2: Market place risks

Within a marketplace, the sellers can either be verified or not. It is likely that a verified seller would be more trusted than one which has not been verified. For the collection, it can also be verified or not. Again a verified collection is more likely to be trusted. Figure 3 outlines the split between verified and non-verified sellers on OpenSea.

Figure 3: Verified and non-verified sellers and collections on OpenSea

Overall the research paper outlines a number of risks:

Counterfeit NFT Creation. This risk relates to the creation of fake content, and the methods used include:

  • Similar collection names. This used a similar name that was associated with real collections. A common approach to this is to use: similar looking ASCII characters; adding a dot at the end of a name; or changing the case of letters, such as changing “CryptoSpells” to “cryptospells”.
  • Identical image URLs. This links a fake token to an identical valid image and tricks the user when searching for a token.
  • Similar images. This tricks the user by making a similar image to the real image.

Trading Malpractices. This includes:

  • Wash Trading. With this, the buyer and seller are in collusion, and artificially inflate the trading volume for an asset. This includes boosting the metrics that show an interest in an asset, or in getting a profile/asset verified.
  • Shill Bidding. With this, the seller artificially inflates the final price of an asset by getting others to bid for it or bidding themselves.
  • Bid Shielding. A malicious bidder creates a low bid and then creates a high bid which puts off others from bidding. Then just before the sale ends, the bidder retracts the high bid and leaves the low bid (and thus win the bid with a low price).

In the analysis, the researcher found that most of the images stored in IPFS actually existed, while those stored in other places had a higher chance of not existing:

The results for wash trade, wash trading distribution, and shill bids are given next. A value of 0 for the wash trade shows no detection of wash trading, while 1.0 is an almost certain wash trading. With shill bids, we can see a significant number of collections has associated shill bids, such as 38 collections had two shill bids:

Conclusions

NFT could provide a way to transfer the ownership of assets, and smart contracts could control them. As they evolve and especially as the marketplace places evolve, there will be many risks. Hopefully, we can sort these out, and build a tokenized world. One thing that is for sure, is that we need better regulations, in order to protect users.

I recorded this from the BBC and where the Master of the Rolls in England outlined that — in the future — law could be enacted through smart contracts and house sales recorded on a blockchain (or an NFT):

References

[1] Das, D., Bose, P., Ruaro, N., Kruegel, C., & Vigna, G. (2021). Understanding Security Issues in the NFT Ecosystem. arXiv preprint arXiv:2111.08893.