Matthew Hickey of Hacker House recently announced the sale of "an exclusive HackerFantastic authored 0day exploit as part of our NFT proof-of-concept sale series" on Twitter. The exploit itself related to the game Quake3, and was described as "an interesting and intriguing computer security bug that results in denial-of-service of a widely used network game engine. Asset/IP will be transferred in full, winner can do with it as they please."
After the tokenized exploit was listed and put up for auction on the digital collectables marketplace OpenSea, OpenSea quickly cancelled the auction and took down the listing. According to Coindesk, "Hickey called that move 'digital censorship of a content creator.'"
"I believe that they took the wrong decision here in becoming arbitrary censors of content, and I am speaking with the company to get my auction restored," Hickey told Coindesk. "I would not recommend anyone to use OpenSea in light of the circumstances."
This case is interesting for several reasons. The basic idea of turning hacker exploits into tradable NFTs raises ethical questions. OpenSea's immediate censorship of the hacker NFT raises more questions about NFTs in general. Answering some of these questions might be easier if the controversial NFT were still available for inspection, but there currently appears to be nothing at all in HackerFantastic's OpenSea wallet.
The Question of Ethics
Zero-day exploits leverage previously unknown information to compromise computer systems. They can be used by white hats to identify and fix software bugs, but they can also be deployed maliciously in a variety of ways. There has long been a thriving underground market for such exploits. When Silk Road was taken down, Ross Ulbricht was criminally charged with distributing zero-day and other exploits through the illicit marketplace, though no actual hack was or has since been attributed to code purchased on Silk Road that I'm aware of.
It is generally unethical to sell anything for the purpose of facilitating crime. But selling a hacking exploit for the purpose of helping a company identify software bugs is perfectly ethical. Hickey's attempt to auction off his exploit could arguably fall into either category. But the fact that the exploit was to be sold directly from his personal account suggests that the motivations behind the sale were more benevolent than malicious. He wasn't hiding his identity behind some darkweb broker. He was attempting to turn a profit by sharing his research.
The Question of Censorship
It is troubling that OpenSea canceled Hickey's auction. In theory, it makes sense that a marketplace like OpenSea would have a mechanism in place for removing problematic NFTs. Plagiarized content and abuse imagery could proliferate otherwise, compromising the NFT market as a whole. But packaging computer science research as an NFT and then auctioning off the result involves neither plagiarism nor abuse.
OpenSea seems to be erring on the side of caution with its censorship of Hickey's NFT. They cannot really be faulted for their stance, particularly from a legal perspective. But their censorship has a cost. It stifled a novel innovation in the NFT world. And if they'd instead chosen to err on the side of freedom, this world would be richer as a result.
In a technical sense, there are some things about this exploit NFT that I don't fully understand. Namely, how is the exploit code kept hidden until it is purchased? Where does the code go and is it secure? An ERC-721 token such as those minted on OpenSea only stores some of its data on the Ethereum blockchain. The rest is stored elsewhere and accessed by a data URI stored on the blockchain. If the data accessed by the URI is changed, the NFT consequently changes, perhaps even after it has been sold. The problem was recently highlighted by an artist named Neitherconfirm and covered by the Coin Telegraph.
If an NFT partially consists of zero-day exploit code, and if the creator of the NFT is technically able to alter this code subsequent to its purchase, that would seem to represent a major security vulnerability. Having the code stored on IPFS would eliminate this vulnerability because changing data on IPFS changes its address, making it inaccessible to the immutable data URI.
Regardless of these issues, minting hacker exploits as NFTs is a use of the tech that never would have occurred to me before now.
This post is published for Cryptowriter in association with Voice.