Hijacking an NFT’s Media — No Coding Required - Aliens: AI Crypto News & Markets Updates












Hijacking an NFT’s Media — No Coding Required


Wed, Jan 19, 2022


Aliens TLDR

Kraken Security Labs scanned thousands of smart contracts on the Ethereum blockchain to take advantage of vulnerabilities left open in certain non-fungible token (NFT) contracts.

Contrary to popular belief, not all NFT media (or metadata) is stored on a blockchain.

In many cases — such as in the ERC-721 contracts we’re about to see — the blockchain merely stores a pointer to where the media is kept, like a bank vault that contains a piece of paper with the address of where a piece of art is stored.

Kraken Security Labs scanned thousands of NFTs for expired links (expired websites or custom URLs from hosting services).

The team first identified a token named UniOption , whose contract was created in December 2020.

The contract’s TokenURI method revealed that the token’s metadata was hosted at stacksideflow.github.io: The URL to the token’s metadata.

With a little more configuration, we made it so we could deliver custom content via the stacksideflow.github.io URL: Mimicking the path pointed to in the NFT contract, we added a simple JSON file to our new repository that would deliver our metadata to the token: The name, description and image have been changed.

From there, we bought the domain and, similarly to the previous example, set up a path to deliver custom metadata to the NFTs. Again, if we look up the collection on Rarible or OpenSea, we can see the changes made to the image, title and description.

When a smart contract hardcodes a URL subject to change, the creator leaves it open to hijacking.

In addition, some contracts may include functions that allow the contract owner or the token holder to update the URL, in which case it isn’t static and could change in the future.

Currently there’s no easy way to detect this ‘updatable URL’ vulnerability, though reviewing the smart contract code (if available) on pages such as Etherscan can protect against this.

For ERC-721 NFTs, Kraken Security Labs advises that you always check where your token is stored.

Ideally, if your NFT stores its data off-chain, it should be hosted on a system such as Arweave or IPFS (the Interplanetary File System) — not to be confused with IPNS (the Interplanetary Name System), as those links are not guaranteed to be immutable.

Read full article on Aliens appRead from Original Source

The best experience is on the app

Everything happening in the crypto world, in real time


Recommended Stories

Article list item background

This Bitcoin Metric Is in "Pain," Which Hints at Potential Reversal

Long-awaited reversal on cryptocurrency market could be around the corner according to this metric



Recommended Stories


Bill Murray Tackling a Lifetime of Stories With New Ethereum-Powered NFT Project


First Time Since April, Solana Avoids Downtime on First Day of Month


Where Ethereum Name Service stands after 66% decline from registrations in May


Software testing for metaverse experiences: Here’s what you need to know


How to Launch a DAO


In Wake of Layoffs and Pulled Job Offers, Coinbase Announces European Expansion Plan


This Week in Coins: Bitcoin and Ethereum Erase Gains, 3AC Files for Bankruptcy

The best experience is on the app

Download app to discover exclusive content, live market updates and more.

Get smarter and richer with the Aliens Crypto Digest

Stay informed and entertained, for free.

Follow Aliens