Hijacking an NFT’s Media — No Coding Required - Aliens: AI Crypto News & Markets Updates
Logo
Logo

Feed

Coins

About

Latest

Bitcoin

Ethereum

NFT

Gaming

Policy

Blockchain

Altcoins

Hijacking an NFT’s Media — No Coding Required

PublisherPublisher
Kraken

Wed, Jan 19, 2022

Banner

Aliens TLDR

Kraken Security Labs scanned thousands of smart contracts on the Ethereum blockchain to take advantage of vulnerabilities left open in certain non-fungible token (NFT) contracts.

Contrary to popular belief, not all NFT media (or metadata) is stored on a blockchain.

In many cases — such as in the ERC-721 contracts we’re about to see — the blockchain merely stores a pointer to where the media is kept, like a bank vault that contains a piece of paper with the address of where a piece of art is stored.

Kraken Security Labs scanned thousands of NFTs for expired links (expired websites or custom URLs from hosting services).

The team first identified a token named UniOption , whose contract was created in December 2020.

The contract’s TokenURI method revealed that the token’s metadata was hosted at stacksideflow.github.io: The URL to the token’s metadata.

With a little more configuration, we made it so we could deliver custom content via the stacksideflow.github.io URL: Mimicking the path pointed to in the NFT contract, we added a simple JSON file to our new repository that would deliver our metadata to the token: The name, description and image have been changed.

From there, we bought the domain and, similarly to the previous example, set up a path to deliver custom metadata to the NFTs. Again, if we look up the collection on Rarible or OpenSea, we can see the changes made to the image, title and description.

When a smart contract hardcodes a URL subject to change, the creator leaves it open to hijacking.

In addition, some contracts may include functions that allow the contract owner or the token holder to update the URL, in which case it isn’t static and could change in the future.

Currently there’s no easy way to detect this ‘updatable URL’ vulnerability, though reviewing the smart contract code (if available) on pages such as Etherscan can protect against this.

For ERC-721 NFTs, Kraken Security Labs advises that you always check where your token is stored.

Ideally, if your NFT stores its data off-chain, it should be hosted on a system such as Arweave or IPFS (the Interplanetary File System) — not to be confused with IPNS (the Interplanetary Name System), as those links are not guaranteed to be immutable.

Read full article on Aliens appRead from Original Source

The best experience is on the app

Everything happening in the crypto world, in real time

app

Recommended Stories

Article list item background

This Bitcoin Metric Is in "Pain," Which Hints at Potential Reversal

Long-awaited reversal on cryptocurrency market could be around the corner according to this metric
U.Today
·

5h

Bitcoin

Recommended Stories

Article

Bill Murray Tackling a Lifetime of Stories With New Ethereum-Powered NFT Project

Article

First Time Since April, Solana Avoids Downtime on First Day of Month

Article

Where Ethereum Name Service stands after 66% decline from registrations in May

Article

Software testing for metaverse experiences: Here’s what you need to know

Article

How to Launch a DAO

Article

In Wake of Layoffs and Pulled Job Offers, Coinbase Announces European Expansion Plan

Article

This Week in Coins: Bitcoin and Ethereum Erase Gains, 3AC Files for Bankruptcy

The best experience is on the app

Download app to discover exclusive content, live market updates and more.

Get smarter and richer with the Aliens Crypto Digest

Stay informed and entertained, for free.

Follow Aliens

Advertise