It’s well known in crypto that hackers follow the money. In the earlier days, centralized exchanges and soft wallets were the prime targets. Over recent years, attackers have also expanded their remit into DeFi smart contracts, exploiting programming bugs and vulnerabilities to drain lending and liquidity pools. Now, inevitably, they’re turning their attention to NFTs, a fast-growing segment with a limitless capacity for growth. And people are turning to some extreme measures to cash in on the NFT craze.
Earlier this year, Nifty Gateway users began complaining that their accounts had been hacked, with one user claiming that someone had stolen his NFTs held on the platform and made a $10k purchase without their consent. The money pouring into NFTs has also resulted in artists having their work stolen and minted as NFTs by unknown parties, who then sell it and net the profits. In one case covered by Wired, the thefts happened even after the artist had died.
While these cases are extreme enough, the unknown future value in NFTs makes for some intriguing scenarios. After all, the idea of asset tokenization is still in its infancy, but in principle, any asset could be tokenized as an NFT on a blockchain. As a first use case, art offers a few valuable examples of ultra-valuable NFTs – Beeple’s record-breaking $69 million Christie’s auction springs immediately to mind.
But imagine a world in which assets like a private yacht worth $600 million, or even the Crown Jewels worth an estimated $4 billion, could be tokenized. It would certainly raise the stakes for any potential attacker. So, without getting too carried away on a Mission Impossible-type fantasy heist event, how would a hypothetical cat-and-mouse game of security between the guardians of a precious digital asset and a wily thief play out?
How Secure is a Blockchain Wallet?
Well, it’s obvious from the off that centralized NFT marketplaces are suffering the same security issues as centralized crypto exchanges. They’ll continue to become honeypots for attackers, and vulnerable humans can fall prey to scams designed to reveal their passwords.
But nobody with a really valuable NFT is going to risk keeping it in their account on a centralized platform. It’s relatively safe to assume that as the digital asset market matures and NFTs become a mainstay, the custody infrastructure will evolve in much the same way as it has for crypto. Therefore, holders of expensive NFT assets will be able to expect institutional-grade storage wallets that conform to military-grade security standards.
So our bad guy needs a more sophisticated tactic. If he can’t get access to usernames and passwords, is there a way to brute-force attack the wallet itself?
Cryptography is a central component of online security. We use public-private key pairs to enable secure access to everything from our email accounts to our Bitcoin wallets. However, the cryptographic algorithms on which we currently rely are only secure up to a point. Using today’s computing power, it would take decades to be able to brute-force attack Bitcoin’s encryption algorithm and reveal someone’s private keys.
But the age of quantum computing is upon us. In July this year, Chinese researchers unveiled a quantum machine that can complete a benchmark task in 70 minutes that would have taken classical computers eight years to achieve.
Seeing Off the Quantum Threat
Theoretically, suppose our thief could harness enough quantum computing power. In that case, he could attack the blockchain encryption securing the theoretical NFT Crown Jewels, reveal the private keys, and the heist would be a success.
However, in this case, the NFT issuer would have the last laugh if they’d used a platform with quantum-resistant encryption to issue the NFT. For example, the team behind QAN, the quantum-resistant blockchain, foresaw the quantum threat several years ago and began working on a future-proof platform that uses a more sophisticated encryption algorithm.
It’s also developer-friendly, supports multiple programming languages, and is energy-efficient. QAN supports all kinds of smart contracts, including NFTs, and is Ethereum-compatible, meaning that any assets or applications running on Ethereum can easily migrate to the QAN platform to benefit from its quantum-resistant security.
A 51% Attack is Becoming More Expensive
The only other line of attack available to our wannabe villain is to attempt to attack the blockchain network itself. The increasing shift to proof-of-stake makes this expensive because our baddie would need to acquire enough of the staking currency to carry out an attack.
For example, let’s suppose the NFT is on Solana – currently the most popular staking platform. An attacker would need to obtain a controlling share of the $90 billion in staked SOL to successfully manipulate the network. Even with the Crown Jewels as a reward, that’s prohibitively expensive.
In this case, a proof-of-work blockchain may be a cheaper option. Based on data from Crypto51, it would currently cost a mere $2.6 million per hour to attack Ethereum.
So despite the headlines, it seems that it’s not quite as easy to steal NFTs as it may appear. NFTs are like any other digital assets. Leaving them on centralized platforms secured by only a username and password at your own risk. Expensive NFTs and tokenized assets should be kept either in secure private wallets or with a trusted, reputable custody provider. Once the user has done their bit, blockchain’s robust security is capable of delivering the rest.