Hijacking an NFT’s Media — No Coding Required - Aliens: AI Crypto News & Markets Updates
Logo
Logo

Feed

Coins

About

Latest

Bitcoin

Ethereum

NFT

Gaming

Policy

Blockchain

Altcoins

Hijacking an NFT’s Media — No Coding Required

PublisherPublisher
Kraken

Wed, Jan 19, 2022

Banner

Aliens TLDR

Kraken Security Labs scanned thousands of smart contracts on the Ethereum blockchain to take advantage of vulnerabilities left open in certain non-fungible token (NFT) contracts.

Contrary to popular belief, not all NFT media (or metadata) is stored on a blockchain.

In many cases — such as in the ERC-721 contracts we’re about to see — the blockchain merely stores a pointer to where the media is kept, like a bank vault that contains a piece of paper with the address of where a piece of art is stored.

Kraken Security Labs scanned thousands of NFTs for expired links (expired websites or custom URLs from hosting services).

The team first identified a token named UniOption , whose contract was created in December 2020.

The contract’s TokenURI method revealed that the token’s metadata was hosted at stacksideflow.github.io: The URL to the token’s metadata.

With a little more configuration, we made it so we could deliver custom content via the stacksideflow.github.io URL: Mimicking the path pointed to in the NFT contract, we added a simple JSON file to our new repository that would deliver our metadata to the token: The name, description and image have been changed.

From there, we bought the domain and, similarly to the previous example, set up a path to deliver custom metadata to the NFTs. Again, if we look up the collection on Rarible or OpenSea, we can see the changes made to the image, title and description.

When a smart contract hardcodes a URL subject to change, the creator leaves it open to hijacking.

In addition, some contracts may include functions that allow the contract owner or the token holder to update the URL, in which case it isn’t static and could change in the future.

Currently there’s no easy way to detect this ‘updatable URL’ vulnerability, though reviewing the smart contract code (if available) on pages such as Etherscan can protect against this.

For ERC-721 NFTs, Kraken Security Labs advises that you always check where your token is stored.

Ideally, if your NFT stores its data off-chain, it should be hosted on a system such as Arweave or IPFS (the Interplanetary File System) — not to be confused with IPNS (the Interplanetary Name System), as those links are not guaranteed to be immutable.

Read full article on Aliens appRead from Original Source

The best experience is on the app

Everything happening in the crypto world, in real time

app

Recommended Stories

Article list item background

VeChain: How this pattern could shape VET’s near-term trajectory

After finally breaking out of its pennant and invalidating the bearish tendencies on 23 May, VeChain (VET) bears resurged at the $0.034-level. This volatile break was quickly short-lived as VET dropped back into the chains of its Point of Control (POC, red). The confluence of the EMA ribbons alongside the POC has created a stiff […]
AMB Crypto
·

2h

Altcoin

Recommended Stories

Article

Ethereum could ‘take over everything’, and there won't be a multi-chain future, says EY's blockchain leader

Article

Algorithmic Stablecoin Resiliency More Important Than Growth: Vitalik Buterin

Article

Thailand excludes crypto transfers from VAT payments until 2024

Article

Goblins Flip Bored Apes in 24 Hours to Become the Top Collection

Article

Why Emerging Markets Are Leading the Charge on CBDCs

Article

Cryptocurrencies Are Missing Out as Stocks Rally

Article

XRP: How Ripple’s IPO speculation is triggering whale activity on the chain

The best experience is on the app

Download app to discover exclusive content, live market updates and more.

Get smarter and richer with the Aliens Crypto Digest

Stay informed and entertained, for free.

Follow Aliens

Advertise