[New Wave] NFTs Can Also Be Hacked

Just as the statement "blockchain is hack-proof" is a typical fake news, the claim that "non-fungible tokens (NFTs) are hack-proof because they operate on blockchain" is also incorrect.

First, NFTs serve only as digital certificates of registration and are not digital rights management (DRM) solutions that prevent unauthorized use of digital content. Because of this, even if someone has not purchased an NFT, anyone can search the blockchain to find NFTs owned by others and, through this, discover the internet location of the original digital content linked to that NFT and view the original via a web browser. In other words, NFTs do not guarantee the confidentiality of the original digital content.

Second, since the digital originals are stored somewhere on the external internet rather than on the blockchain, there is a risk that they can be damaged or deleted at any time due to hacking or administrator negligence.

Third, it is known that the ownership information recorded on the NFT and the location information of the original content file are almost impossible to delete or modify due to the immutability characteristic of the blockchain. This is theoretically correct. However, just as a building may develop cracks or be vulnerable to fire if the construction company lacks expertise despite a perfect architectural design, the same applies to blockchain. No matter how theoretically perfect the blockchain’s design (algorithm) is, if programming errors occur during its software implementation, this can lead to hacking.

Fourth, since NFT transactions fundamentally operate on the same principle as exchanging cryptocurrencies, if the electronic wallet key?which corresponds to a bank account password?is leaked through phishing sites or scam emails, ownership of the NFT can be transferred to an unintended person. On February 19 (local time), 254 NFTs owned by 17 OpenSea users were stolen in a phishing attack, and the hacker sold the stolen NFTs for over $650,000 through LooksRare.

Fifth, even if the basic components that make up the NFT transaction system?namely blockchain, smart contracts, and NFTs?are well designed and implemented, if the internet used for their communication is disrupted by hacking, it is entirely possible to steal others’ NFTs. On February 3, KLAYswap, a decentralized finance (DeFi) service based on the cryptocurrency Klaytn (KLAY), was attacked by an unidentified hacker group, resulting in the theft of approximately 2.2 billion KRW worth of cryptocurrency. This incident occurred due to an attack on the Border Gateway Protocol (BGP), which is used to configure internet communication routes. The hacker exploited structural vulnerabilities in the internet communication system to cause malicious programs they created to be called and executed instead of legitimate programs, successfully stealing cryptocurrency.

Cryptocurrencies, NFTs, and blockchains can all be hacked. There is no perfect security, and both developers and transaction participants must always keep in mind the need for thorough security verification of all components that make up the service.

Seungjoo Kim, Head of the Department of Cyber Defense, Korea University

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.