Aliens TLDR

Kraken Security Labs scanned thousands of smart contracts on the Ethereum blockchain to take advantage of vulnerabilities left open in certain non-fungible token (NFT) contracts.

Contrary to popular belief, not all NFT media (or metadata) is stored on a blockchain.

In many cases — such as in the ERC-721 contracts we’re about to see — the blockchain merely stores a pointer to where the media is kept, like a bank vault that contains a piece of paper with the address of where a piece of art is stored.

Kraken Security Labs scanned thousands of NFTs for expired links (expired websites or custom URLs from hosting services).

The team first identified a token named UniOption , whose contract was created in December 2020.

The contract’s TokenURI method revealed that the token’s metadata was hosted at stacksideflow.github.io: The URL to the token’s metadata.

With a little more configuration, we made it so we could deliver custom content via the stacksideflow.github.io URL: Mimicking the path pointed to in the NFT contract, we added a simple JSON file to our new repository that would deliver our metadata to the token: The name, description and image have been changed.

From there, we bought the domain and, similarly to the previous example, set up a path to deliver custom metadata to the NFTs. Again, if we look up the collection on Rarible or OpenSea, we can see the changes made to the image, title and description.

When a smart contract hardcodes a URL subject to change, the creator leaves it open to hijacking.

In addition, some contracts may include functions that allow the contract owner or the token holder to update the URL, in which case it isn’t static and could change in the future.

Currently there’s no easy way to detect this ‘updatable URL’ vulnerability, though reviewing the smart contract code (if available) on pages such as Etherscan can protect against this.

For ERC-721 NFTs, Kraken Security Labs advises that you always check where your token is stored.

Ideally, if your NFT stores its data off-chain, it should be hosted on a system such as Arweave or IPFS (the Interplanetary File System) — not to be confused with IPNS (the Interplanetary Name System), as those links are not guaranteed to be immutable.