Abstract
The enticing narrative promised by the Ethereum blockchain is to be a decentralized world-computer within which utility based NFTs are an integral piece of the story. In this presentation, we will look at a crafty new technique that ricochets a utility based NFT across smart contracts to circumvent staking safeguards, and also how easy it is to exploit off-chain marketplace logic relied upon to implement ERC-721 and ERC-1155 standards.
We will walk through real world exploits in existing smart contracts and also see how the largest marketplaces that trade millions of dollars of NFTs per day are riddled with vulnerable off-chain logic.
The attack surface created in application code relied upon to bridge off-chain functionality with on-chain logic is wide and growing. There are new NFT marketplaces popping up every day, more specifically Decentralized Autonomous Organizations (DAOs), that allow for NFTs to be deposited as collateral to take out loans. These new marketplaces also bring with them a new set of attack vectors and vulnerabilities.
The architecture of NFT marketplaces provides the illusion that the on-chain implementation and the off-chain logic interact and communicate directly, seamlessly, and swiftly. In reality, the off-chain and on-chain communication is completely divorced and implemented using algorithmic techniques that can often be bypassed, thereby opening up avenues for real-time price manipulation, collapsing billion dollar NFT collections to zero, and a discussion of upcoming agents with entirely new motives.
We will also take a look at real world exploits that target the divide in talent between the academic minded professionals focused on coding the smart contracts versus the traditional security engineers that are tasked with writing the web2 UI code to glue it all together.
The intent of this talk is to highlight current and upcoming attack vectors in the arena of NFT marketplaces, and ultimately contribute to their secure implementation so that they are delivered securely.