It Only a Matter of Time before Hackers Strike the NFT Ecosystem: Qiao Wang

The only reason why NFT holders have been spared from rug pulls, and other vices common in DeFi, Qiao Wang observes, is because we are “very early on.”

Malicious agents, he analyzes, are yet to explore the composability/programmability aspect of NFTs fully. This exploration could probably discover loopholes for exploitation. 

It is no doubt that many newbies are aping into NFTs, experiencing the thrill of trading limited-edition pieces or collections for top-dollar. NFT has morphed into a high-energy, fluid, and lucrative marketplace dominating Ethereum.

According to an analysis by Kaiko, NFT marketplaces and dependent dApps are now the most active, even surpassing Uniswap. 

Axie Infinity—which has gathered a large following in the Philippines—generates more revenue for miners than some of the most active DeFi dApps. 

As an illustration, the top Ethereum-based marketplace, OpenSea, generated over $3.5 billion in monthly trading volumes in August 2021 alone. This subsequently lifted the all-time sales of Axie Infinity and CryptoPunks collectibles to above the $1 billion mark. The uptick in activity also saw NFT platform’s tokens like RARI float into green, tapping the popularity of NFTs.

So, is it that hackers are “too lazy” to exploit, subtly giving up on NFTs?

Looking back at DeFi’s history, financial dApps were inundated with a barrage of discouraging exploits running into hundreds of millions of dollars. A deluge, DeFi got a bad rap, worsened with the announcement of flash loans from Aave. With near-zero funds, a hacker—or a group—could wreak havoc in the ecosystem causing massive losses, staining the industry’s repute.

The frequency has been tamed with well-thought-out patches, and the space’s been forced to “grow” faster.

NFTs, on the other hand, are quite complex. They are not fungible tokens that can be swapped easily or even channeled to an exchange and liquidated instantly. Instead, they are digital representations of physical or digital assets. There have been partnerships where artists couple with leading art houses resulting in multi-million sales. 

Meanwhile, marketplaces are a convenient portal for talented artists to mint and auction their assets. If anything, it has been a win-win for stakeholders. Take, for instance, the success of CryptoPunks, which were distributed for free. In early September, purchasing any of them from the secondary market would offset a prospective buyer millions worth in ETH.

According to Qiao, hackers could be burning the midnight oil, dissecting applicable minting standards to pick out flaws that give them remote control of valuable NFTs. 

The weakness of NFTs lies in the details, the programmability behind the scene—which, if any, would render these limited-edition tokens useless. Ordinarily, in the build environment, smart contracts’ programmability or composability gives the user more choice and therefore better user experience. 

It is so because there are no barriers that would prevent a user from using an idea and implementing it in a new use case. As a result, developers can take advantage of composability to bootstrap without necessarily building from scratch and deploy them via Ethereum—a sandbox with a global audience.

Now, while NFTs are not inter-changeable—unique via identifiers—they do exist in a composable environment—a smart contracting platform allowing transferability. That is why NFTs can be composed and merged, with say, DeFi allowing owners to take out loans. 

However, loopholes can exist since the minting and burning of NFTs is dissociated and not defined by the NFT standard—ERC-721, ERC-998, ERC-1155—or others. 

What’s more, the digital file—video, image, or audio—is stored elsewhere—usually a server or decentralized file storages like IPFS—and referenced by an URL. Storing digital artwork on the chain can be prohibitively expensive because of large sizes. 

Kelani Nichole of Transfer Gallery, in an interview, expressed her shock that the ERC-721 standard had gained massive popularity quickly despite inherent risks when digital artwork—that define the NFT—are referenced using URLs.

While it could be crashing to lose the artwork—the file—hackers might not be successful in bending those who pin the value of the NFT on the defining smart contract. This, for supporters, presents a deterrence. 

Yet for others who hold that artwork define the NFT, a hacker taking control of the referencing URL or hacking the centralized server—even the marketplace-- where these files are held or auctioned—wouldn’t be incentivizing enough since the space is, after all, a bubble that would soon pop.