Fairyproof’s Overview of the Security Audit of NFT Projects
NFT stands for “Non Fungible Token”. An NFT is a non-interchangeable unit of data stored on a blockchain[1]. An NFT differs from a commonly…
Fairyproof’s Overview of the Security Audit of NFT Projects
NFT stands for “Non Fungible Token”. An NFT is a non-interchangeable unit of data stored on a blockchain[1]. An NFT differs from a commonly known ERC-20 token in that an NFT is uniquely identifiable. Therefore, activities such as trading associated with NFTs differ from those associated with ERC-20[2] tokens or fungible tokens such as Bitcoin, ETH.
Centered around NFTs, a brand-new ecosystem emerged, and this ecosystem has seen tremendous growth and development, especially in 2021.
With the rapid development of the NFT ecosystem, security issues or risks have broken out. Some of the issues or risks are unique and different compared to the issues or risks that happen in ERC-20 token-related ecosystems, and they deserve more awareness.
Research and studies in NFT security in academies have been explored by D. Das, P. Bose, N. Ruaro, C. Kruegel, and G. Vigna in their work[3].
However, practices with regard to the audit of NFTs have not been extensively explored or researched. Based on the research and study done by Fairyproof’s research team and the accumulated experience in the audit of NFT related projects, Fairyproof would like to share an overview of the audit of NFT projects.
If a project, application, or service interacts with an NFT we view it as an NFT project, application, or service.
If we view any application or service that interacts with an NFT as part of an NFT grand ecosystem, the existing NFT ecosystem can be viewed as a whole that contains four components based on the technical roles they play: blockchains where NFTs are deployed, NFT tokens which are implemented based on different standards on different blockchains respectively, core business applications where business logic is implemented and affiliated services or applications which assist an NFT’s functioning.
With regard to the audit of an NFT project, all these four components need to be covered and audited. Without a functioning underlying blockchain, the project loses its base and will not work at all. Without correctly designed and implemented smart contracts, the NFTs involved in the project will not work and the project will lose its core. Without correctly designed and implemented core business applications where the project’s business logic is implemented the NFTs will just be “dead” tokens and the project’s ecosystem will not develop and grow. Without functioning affiliated services or applications, or inappropriately selecting or using affiliated services or applications, the NFTs will not work to their full potential.
Therefore, none of the four components should be neglected. We will examine the audit of each of these four components in the following sections of this article respectively.
1.Audit of Blockchains
For an NFT project where its NFTs are deployed on an established blockchain such as Ethereum, an audit of the blockchain can be skipped since such a blockchain has sustained enormous security challenges. Otherwise, its underlying blockchain should be audited and this audit cannot be skipped.
The methodologies to audit a blockchain have been studied and researched extensively since the Bitcoin blockchain was up and running, and the security companies such as Fairyproof in the crypto industry have performed thorough practices in this area. This is not a new challenge to the industry.
2.Audit of NFT Smart Contracts
With regard to the implementation of an NFT, it is composed of one or multiple smart contracts like an ERC-20 token. However, since an NFT is implemented based on a different token standard such as ERC-721[4] or ERC-1155[5] compared to the typical fungible token standard ERC-20, the issues or risks that pertain to an NFT are slightly different from those pertaining to an ERC-20 token. A typical issue that an NFT token contract may encounter is whether its random generator is vulnerable to attacks or exploits or not. If it is, then it may suffer from an attack where minters could repeatedly revert transactions until they mint their preferred tokens. Therefore, the methodologies and practices to audit an NFT are slightly different from those that are used to audit an ERC-20 token.
3.Audit of Core Business Applications
Here a core business application refers to one that implements a business logic that interacts with NFTs.
In general, there are two kinds of core business applications: One is a typical conventional web 2.0 application which just performs some basic operations such as minting and transferring NFTs between accounts. The popular PFP [6] projects[7][8] are of this kind. The other is a hybrid of conventional web 2.0 applications and smart contracts. Applications of this kind perform more complex operations such as an escrow of NFTs, staking of NFTs, etc. The popular NFT trading platforms [9][10] are of this kind.
Both of these two kinds of applications share two significant features compared to ERC-20 token-related applications. The first is that general NFT applications have less sophisticated on-chain operations than ERC-20 applications such as DeFi applications [11][12]. The second is that most of these NFT applications are for non-technical users some of whom may have no knowledge of blockchain or cryptos at all.
Therefore, the developers in the existing NFT ecosystem put huge efforts into improving user experience and making core business applications adapt to users’ behavior. This results in some applications employing extensive web 2.0 application technologies and procedures [9][13]. This, on one hand, lowers the threshold for new users to come in but on the other hand may cause such an application less decentralized, thus introducing web 2.0 issues or risks both in an application’s implementation and in its business logic or procedures.
Here we’d like to emphasize that the issues or risks with existing core business applications’ business logic and procedures haven’t drawn sufficient attention of the crypto industry. For example, issues such as optional or no enforcement of verification of NFTs on NFT trading platforms, challenges brought by optional or no requirements of KYC from NFT trading platforms, and issues with royalty setting are rarely discussed or covered in audits of NFT applications such as trading platforms.
Fairyproof has made extensive research and accumulated rich experience in uncovering issues or risks in this area and has come up with a comprehensive framework to tackle issues or risks in it.
4.Audit of Affiliated Services or Applications
An affiliated service or application here refers to one that helps NFTs function. A typical affiliated service or application is one that saves an NFT’s metadata[14].
Since 2021, PFP projects have been extremely popular. In a typical PFP project, a fixed supply of NFTs are minted and each of the NFTs has a picture with unique features. Each picture contains the metadata of a corresponding NFT.
These pictures need a service or application for permanent storage. Without permanent storage of metadata, such an NFT would lose its appeal to users. Therefore, one that can provide an affordable, reliable, and robust permanent storage service is vital to such a project’s long-term development and success.
Typical services or applications that are used in these projects for permanent storage include decentralized applications such as IPFS[15] and Arweave[16], or conventional web 2.0 services such as AWS[17], etc.
However, some of these applications or services don’t provide permanent storage as is, developers need to carefully design and implement a custom solution by utilizing them.
How to ensure such a custom solution works as expected and how to tackle the issues or risks that may arise are seldom discussed or covered as well in both research and practices of today’s crypto industry.
Fairyproof has, in its early days, begun to do research and study in providing secure and scalable affiliated services and applications for NFTs and has a systemic procedure and methodologies to uncover issues or risks in this area.
Auditing an NFT project is not just a job of auditing the smart contracts of the NFTs involved in the project but comprehensive work that includes audits of the project’s underlying infrastructure, the business logic and procedures, and affiliated services or applications.
Fairyproof has been keeping an eye on the development of this ecosystem, has performed extensive research in this area, and has built a solid ground in audit practices of this area.
References:
[1] Non-fungible token, https://en.wikipedia.org/wiki/Non-fungible_token, Feb 22, 2022
[2] ERC-20 Token Standard, https://ethereum.org/en/developers/docs/standards/tokens/erc-20/
[3] Understanding Security Issues in the NFT Ecosystem, https://arxiv.org/abs/2111.08893, Jan 19, 2022
[4] ERC-721 Non-fungible Token Standard,
https://ethereum.org/en/developers/docs/standards/tokens/erc-721/
[5] EIP-1155: Multi Token Standard, https://eips.ethereum.org/EIPS/eip-1155
[6] A Beginner’s Guide to Understanding PFP NFTs,
https://medium.com/geekculture/a-beginners-guide-to-understanding-pfp-nfts-8714e9d30d0b, August 29, 2021
[7] CryptoPunks, https://www.larvalabs.com/cryptopunks
[8] BAYC, https://boredapeyachtclub.com/#/
[9] OpenSea, https://opensea.io/
[10] Rarible, https://rarible.com/
[11] Curve, https://curve.fi/
[12] MakerDAO, https://makerdao.com/
[13] Nifty Gateway, https://niftygateway.com/
[14] metadata, https://csrc.nist.gov/glossary/term/metadata
[15] IPFS, https://ipfs.io/
[16] Arweave, https://www.arweave.org/
[17] AWS, https://aws.amazon.com/
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing