The hacking of non-fungible tokens

People were willing to pay millions for JPEGs and digital art sitting somewhere on a server.

People were willing to pay millions for JPEGs and digital art sitting somewhere on a server.

Published Jun 19, 2022


According to some economists there are several market indicators that a recession may be looming.

Perhaps it is time for the market to return to reality as is currently happening.

In the well-known 2002 song “Lose Yourself” by Eminem is a catchy phrase: “The clock’s run out, time’s up, over, blaow! Snap back to reality, ope there goes gravity…”

Over the past few years people made bags full of money from growth stocks, meme stocks (a stock that gains popularity among retail investors through social media), cryptocurrencies and non-fungible tokens (NFTs).

The more ridiculous the valuations became, the more people invested since trading became cheaper, interest rates were low, governments pumped huge amounts of money into quantitative easing and hand-outs, and people turned to the investment market for entertainment during pandemic lockdowns.

Almost overnight NFTs – the so-called rare JPEGs – became hugely popular as an investment instrument.

In August 2022 weekly trading in NFTs amounted to R17.2 billion and dropped to R2.4 billion per month after the cooling-off period.

People were willing to pay millions for JPEGs and digital art sitting somewhere on a server.

The problem, however, is that people were not buying NFT assets for their intrinsic value, but rather for what they could be or become.

In time due diligence and fundamentals were replaced by popular memes and elegant marketing.

NFT assets in reality did not become more valuable, but were often driven by people who were afraid they would miss out on the opportunity to become rich.

But eventually the surplus money dried up, fuel prices increased, inflation rose, interest rates went up, and the money printing and stimulus hand-outs by government stopped.

And suddenly stock markets, cryptocurrencies and NFTs tumbled and are worth much less.

And if this is not bad enough, it seems that NFTs – with such nascent and complex technologies behind it – have some flaws. Increasingly NFTs are being hacked, which reached new heights during the pandemic with multiple hacks reported per month.

Although people are told otherwise, crypto and NFTs have several new vulnerabilities that can be exploited by highly capable and knowledgeable hackers.

Some of the vulnerabilities are inherent to the technology infrastructure. Others depend on cooperation, mostly obtained through phishing and airdrop scams that often exploit the gullibility and trust of investors. Due to these vulnerabilities illicit activity has increased exponentially, with the Bored Ape heist being the most memorable recent heist.

The Bored Ape hacking happened during April 2022 – one of the months with the highest number of hacks in the history of the decentralised finance (De-Fi) and NFT industry.

Hackers targeted Yuga Labs - the multibillion-dollar collective behind the famous Bored Ape Yacht Club’s (BAYC) Simian NFTs – and stole about R48.2 million.

The attacker seized control of the BAYC Instagram account and sent a phishing post on which numerous deceived followers clicked. When they trustingly clicked on the post, it connected their crypto wallets to the hacker’s “smart contract” or the mechanism used to implement a crypto transaction.

This enabled the hacker to access the assets in the wallets and to steal four Bored Apes and numerous other NFTs.

Since many people owning NFTs are exposed to hacking, it is of the utmost importance that they take precautions due to the irreversibility of transactions.

The first precaution is to do proper due diligence since there are numerous scams in the crypto space.

Any potential NFT buyer should not be too trusting and should take care to identify the creators of the digital asset and also research other basic information.

Secondly, it is important to beware of stolen assets. OpenSea facilitates 95% of all NFT transactions and block NFTs from being traded when it has been reported as stolen.

The problem is, however, if the stolen asset is sold before it is reported and blocked, an innocent buyer can end up holding an illiquid asset. Therefore, before any NFT is purchased, the owner’s transaction history should be traced to verify if the seller has held it for a long enough time and that it has not been flagged on OpenSea due to suspicious activity.

Lastly, buyers must be careful with airdrop claims and preferably delay it. The sophisticated BAYC hacking posted a link for holders to claim a token airdrop for their new metaverse platform.

To claim an airdrop it is necessary to sign a smart contract that would assess your transaction history to determine how much you were eligible to receive. In this case the smart contract allowed the assets to be transferred out of the wallet.

It is, therefore, better to avoid these scams by delaying claiming airdrops by a day or two while watching for feedback on community channels such as Discord and Twitter. It is also a good idea to search for evidence of airdrop transactions on-chain.

Currently, there is still money to be made from NFTs as an investment class, but it is still relatively new and complex and should be handled with care and awareness of the numerous hacking scams and risks. But with the declining demand for NFT assets, it is important not too fall prey to the “Greater Fool Theory.”

Prof Louis C H Fourie is a technology strategist.

*The views expressed here are not necessarily those of IOL or of title sites.