The NFT Ecosystem And Related Security Risks

The NFT Ecosystem And Related Security Risks

The NFT Ecosystem And Related Security Risks

The NFT Ecosystem And Related Security Risks

The NFT Ecosystem And Related Security Risks

Read Time: 6 minutes

2021 has been an interesting year for NFTs. 

The most expensive NFTs were sold during this time, including Beeple’s artwork, Rarest collections of CryptoPunk, etc. So, the intriguing trait that ties in with the NFTs is the Verifiability and Trustless transfer. 

In brief terms, NFT transfers are recorded in the blockchain, making it feasible to acquire information for verifying it as and when needed. And also, blockchain backs the transfers between the buyer and seller of NFTs, making the transactions trustable. 

On the downside, NFT security questions the Legitimacy concerns and fraudulent activities. This blog shares all those occurrences in the NFT cybersecurity ecosystem with the related data to cryptocurrency security. 

Considering the ease and reliability of the Ethereum blockchain, NFTs operating on it are analyzed to find the operative cryptocurrency security issues. 

Key Concepts Covered In This Blog

  • Overview of Ethereum blockchain and the functioning of NFTs
  • Dissecting the NFT ecosystem into Users, NFT marketplaces, and External entities
  • NFT security flaws encountered by NFT marketplaces
  • Issues faced with external entities
  • Newest NFT threat performed by the users

Working of NFTs on Ethereum blockchain

Ethereum blockchain is the second most adopted blockchain network after Bitcoin. Ethereum’s awareness rose to the point that from hardly 10, 000 users in 2020, it has grown to 4.4 million DeFi users on Ethereum in two years. 

Ethereum technology powers its native ETH tokens and many other dapps built on it. Operated on the Proof-Of-Work consensus mechanism, the miners here solve the cryptographic challenges to add blocks to the Ethereum network.

The execution and smart contract deployment is made on the Ethereum Virtual machine to process the operations. Tokens are built on the Ethereum blockchain that can be of two types: Fungible and Non-fungible. 

The fungible tokens are usually ERC-20 compliant, whereas Non-fungible tokens are of ERC-721 and ERC-1155 standards. ERC-721 is one of the well-known standards for implementing non-fungible tokens on the Ethereum blockchain. 

Breaking Down The NFT Ecosystem

The NFT economy is made of three classes,

  • Users who are the buyers and sellers of digital assets
  • Marketplaces that act as intermediates for publicizing the assets and driving their sale
  • External Entities that provide infrastructure and host services for users and NFT marketplaces


The users of the NFT economy are segregated into three categories as Buyers, Sellers, and Content creators. 

  • Content creators create digital art but may not be technically strong in converting them to NFTs. Some creators may perform the role of both creating and minting, while others authorize the rights to sellers to convert them as NFTs.
  • Sellers mint NFTs and keep them open in the NFT marketplaces for buyers to purchase.
  • Buyers bid the NFTs on the marketplace websites and gain ownership of the assets. 


The working of the marketplace involves two interfaces:

  • Web frontend 

This is where the user interacts to purchase NFTs from the sellers or initiate transactions. And for that, the website asks for user authentication to set up accounts for listing NFTs or purchasing digital arts. 

  • Smart contracts

The transactions happening in the marketplaces interact with the smart contracts to execute activities. Two types of smart contracts exist:

Marketplace contracts: All the activities of the NFT marketplace and its protocol is managed through these contracts.

Token contracts: Concerning the execution of the token transfer, the job is done by token contracts. 

All the transactions and token activities are considered Events in the NFT marketplaces. The events are stored either on-chain or off-chain.

  • On-chain comprises storing events in the blockchain, which is supposed to cost high gas–fee. Ex: SuperRare, Axie Infinity
  • Off-chain involves storing events on off-chain databases, which are gas-friendly. Ex: Nifty
  • Hybrid, on the other hand, ties together both on-chain and off-chain, which is verified through a cryptographic check. Ex: OpenSea

In short, Marketplace facilitates User Authentication, Token minting, Token listing, and Token trading, 

External Entities

External entities provide hosting services like IPFS for creators to store their artwork and so on. 


NFT marketplaces such as OpenSea, Nifty gateway, Rarible, SuperRare, etc., have been studied for security thefts and attacker activities. The following threat for NFT was based on the inferences of the findings. 

Identification Verification for user authentication: Approval of personally identifiable information prevents money laundering. But no NFT marketplaces is found to mandate the KYC process, which may result in user creating multiple accounts making them hard to be traced. 

Token contract verification: Token contract is considered verifiable upon submitting the source code to Etherscan for public scrutiny to identify any bugs. But none of the marketplaces, including OpenSea, Sorare, and Axie Infinity, makes it mandatory to keep the contract code open-source. 

Tampering with metadata: Metadata of token points to the specific asset. So, this metadata stored on third-party domains can be altered, making it susceptible to attacks. It is identified that NFT marketplaces haven’t been undergoing any preventive measures for metadata tampering, thereby being the newest threat for NFT hacks. 

Buyer or seller verification: The verified accounts of sellers that hold the badges in their profile gather huge attention from the buyers’ community. NFT marketplaces such as Foundation are strict when it comes to approving seller verification. While others, such as OpenSea, Rarible leaves it to the buyer to find the seller’s authenticity as it doesn’t keep any mandatory requirements presenting a greater threat for NFT scams.

Feature Specification On Various Marketplaces


NFT tokens are ERC-721 compliant, which integrates metadata-URL. Generally, this URL points to where the data is stored. It is either IPFS (decentralized storage), Web domain, or Amazon S3 (centralized storage). 

Often, NFTs that point to external domains is exposed to the risk of the domain getting invalidated or unavailable. In this case, the NFTs break, leaving the URL with empty fields.


Counterfeit NFT creation: Smart contracts store the ownership of the tokens. Thus, to verify the tokens are legitimate, the users are advised to visit the project website. 

The instances of Counterfeit NFT creations recorded were,

  • The ones where the names or character of the original NFTs is modified. 
  • NFTs that point to the existing assets by simply duplicating the image_url of the authenticated ones.

These are the newest threat to NFT buyers. There are increased records of counterfeit NFTs circulating because the NFT marketplaces do no stringent verification to check whether the collection or token already exists. 

Bid shielding: Users are allowed to make bids on NFTs. In the case of bid shielding, user X bids at a high price so that no user can make any further bids on that NFT. The user X then withdraws his bid while taking away the NFT for the lowest price.

Wash trading: In wash trading, the creators and sellers of the NFT artificially inflate the price of the assets to seek the attention of buyers. For example, high-value projects such as CryptoKitties and Decentraland are suspected of wash trading, adding spice to cryptocurrency security. 

Bottom Line

The events of security breaches often lead to huge financial losses. 

Identifying the threat of NFT is the first step to rectifying it. Auditing companies do it to the best. QuillAudits, in that way, is making an active contribution to NFT and cryptocurrency security, making the decentralized space more trustable and user-friendly. 


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+