The non-fungible token (NFT) market has been booming since the summer of 2021 and as NFT prices were sky-rocketing, the number of hacks targeting NFTs were also increasing.
The most recent high-profile hack siphoned approximately 600 Ether worth of NFTs from Arthur0x, the founder of DeFiance Capital, and they were sold off on OpenSea.
A 2022 Crypto Crime Report published by Chainalysis highlighted that the value sent to NFT marketplaces by illicit addresses jumped significantly in 2021, topping out at just under $1.4 million. There is also a clear increase in stolen funds sent to NFT marketplaces.
Given the concerning rapid increase in illicit value flowing into the NFT platforms, it is natural to ask whether security measures and procedures are in place and if so, whether these measures are effective in protecting owners.
Let’s take a look at OpenSea, the largest NFT platform, and its security measures.
The security measures at OpenSea cannot protect users
OpenSea has two main security measures that kick in once an account has been “hacked” — locking the compromised account and blocking the stolen NFTs. These two measures are very ineffective when looking at them closely.
Locking the account can be done on the OpenSea website as shown here without human approval; whereas blocking the NFTs involves a lengthy process of raising a ticket and waiting for the OpenSea help team to respond.
In a situation when a hacker has already compromised the wallet and is in the process of transferring the NFTs out, locking the account will only be effective if it’s done quickly enough before the hacker transfers everything out.
Similarly, blocking the NFTs is also only effective before the NFTs are sold to another buyer by the hacker. What’s even worse is this security measure creates a series of indirect victims who end up with blocked NFTs that cannot be sold or transferred. This is because the response time for tickets raised in OpenSea is at least 1 day. By the time the NFTs are blocked by OpenSea, they would have already been sold to another buyer who now becomes the new victim of the crime.
In the case of the 17 stolen Azuki from Arthur0x, 15 of them were stolen within the same minute and 2 of them were stolen 3 minutes afterwards. The average time these stolen NFTs stayed in the hackers wallet before they were sold is 43 minutes. The security measures from OpenSea are in no way responsive and quick enough to inform the victim and stop the hacker; neither can they inform the buyers promptly enough to stop them from buying the stolen NFTs and becoming the indirect victim.
Blocking stolen NFTs creates indirect victims
An indirect victim is someone who is not the target of the hack but indirectly suffers from the financial losses caused by the blocking of the stolen NFTs. As seen from many recent NFT hacks, the NFTs are always sold before the block is implemented by OpenSea. The consequence of blocking the NFTs too late is that it creates indirect victims and more losses for more people.
To illustrate in more detail how anyone could end up buying a stolen NFT and become an indirect victim of a hack, here are three common cases:
Case 1: Alice bought an NFT but only found out later that it is a stolen asset. The NFT is blocked and Alice cannot sell or transfer it on OpenSea. She then proceeds to raise a support ticket. After several weeks, the OpenSea Trust & Safety team offers to refund the 2.5% platform fees; and possibly the email address of the victim who reported the theft if lucky. Then she’ll likely have a lengthy discussion with the victim to negotiate the possibility of lifting the block, which most likely will end up nowhere.
Alice can still sell the NFT in other marketplaces but the volume of sales is very low for this particular collection and there is no buyer who can offer a fair price on other platforms other than OpenSea.
Case 2: Alice made multiple offers to bid NFTs from a collection. One of the offers was accepted by the hacker, who then received the payment from the bid in the victim’s wallet and proceeded to clear out the wallet. The NFT was blocked later on as part of the stolen assets from unauthorised transactions by the victim.
Cases like this often happen because listed NFTs cannot be transferred unless the listing is cancelled. The hacker, who is under time pressure, will be more likely to accept a bid offer and get the proceeds from the sale and transfer the money out. The case below shows how the indirect victim’s entire NFT collection was blocked by OpenSea without explanation.
Here’s my thread about how @opensea unreasonably blocked my account and frozen all my NFTs after my offer 40 weth for @BoredApeYC #6267 was accepted.
I think it’s very important to spread this case among NFT community!
Let’s start ⬇️ pic.twitter.com/xnxctpzzpL
— Mpa3yka (@Mpa3yka) November 10, 2021
Case 3: Alice has owned an NFT for quite some time and suddenly it is blocked and marked as “reported for suspicious activity”. The seller’s account is not compromised and the transaction happened a while ago. Since there is no evidence required to report a stolen NFT and block it, anyone can send an email to OpenSea’s anti-fraud team to block any NFT.
Although a police report can be requested later on, there is neither a clear statement by OpenSea to specify the evidence needed to prove the hack nor a condition under which a falsely reported stolen NFT can be identified and lifted from the block. There is no consequence for falsely reporting stolen NFTs.
NFTs are often blocked with no explanation or evidence such as police reports provided to the indirect victim. Theoretically these NFTs can still be traded on other platforms, but given OpenSea’s monopoly in the marketplace with 95% of the total NFT trading volumes, blocking any NFT on OpenSea is almost equivalent to taking them out of the market forever.
Blocking NFTs could artificially increase the price
The danger of blocking stolen NFTs from trading on the largest NFT platform OpenSea is the permanent reduction in supply. Based on the law of supply and demand in economics theory, when supply goes down, price goes up.
As an example, the Azuki collection has 10,000 NFTs and currently only 1,100 are on sale on OpenSea. The Arthur0x hack results in 17 of them being stolen and blocked. Although 17 NFTs are only around 1.5% of the 1,100 circulating supply, the price has already shown a trend of increasing after the hack. The hack happened on Mar. 22 and the price peaked on Mar. 28 to 20.96 Ether prior to the airdrop announcement on March 31 — a 55% increase within a week.
Although not all of the 17 stolen NFTs are blocked as Arthur managed to recover some through negotiating with the indirect victims to buy them back, future hacks in similar form will continuously happen and cumulatively the number of blocked NFTs can only increase as hacks continue and no procedures are in place to unblock them.
Using Azuki as an example again, the graph below collects the historic number of sales and average price to create a demand curve and assumes the supply curve is linear. The point where the supply and demand curves intersect is the equilibrium price.
As supply continuously decreases, the speed of increase in price becomes faster as the slope of the demand curve gets steeper. An equal decrease of 300 NFTs in supply from 1,000 to 700 versus from 700 to 400 results in a larger price increase for the latter.
As shown in the graph below, the price increases from 15 ETH to 21 ETH from the 1,000 to 700 reduction, but increases more from 21 ETH to 28 ETH from the 700 to 400 reduction.
It is clear to see that blocking the stolen NFTs could artificially increase the price of the collection. If someone wanted to take advantage of the loophole in the OpenSea security system by falsely reporting many NFTs from the same collection as stolen (since no evidence is required to report stolen NFTs), the price of the collection could dramatically increase if the supply is low. This loophole could create opportunities for price manipulation in the illiquid NFT market.
In any case, blocking NFTs is not an effective measure to stop the hack or punish the hacker, but on the contrary creates more indirect victims and loopholes for market manipulators. This is certainly not the way to go, so is there any effective security measure?
Preventive measures and an evidence based system need to be in place
The current OpenSea security system has no preventive measures in place to protect users in advance. All the safety measures are only implemented after the hack, which is one of the main reasons why they are ineffective.
Based on the behaviours of the hackers, time is an essential component. Security measures that can slow down the hacker or inform the victims early are the keys to win the battle. Here are some more effective preventive measures that can be implemented by OpenSea:
- Create an early warning system that can detect abnormal account activity and send instant text messages or email alerts to inform users of such activity so they have enough time to respond. For example, if the account has never bought or transferred more than one NFT within one minute; or if the account has never had any activities in the past during a specific time period (i.e. time zones when the user is asleep), the occurrence of such activities will be detected by machine learning algorithms. The account holder can choose to be informed immediately, or allow the account to be automatically locked for safety.
- Provide users the options to constrain the maximum number of NFT transfers or sales allowed within a timeframe, i.e. maximum one transfer or sale within one minute; or a minimum time interval imposed between each transfer or sale, i.e. the next transfer or sale can only happen 15 minutes after the previous one. These measures can prevent hackers from stealing a large number of NFTs in one go.
- Create suspicious account dashboards that allow victims to instantaneously add compromised accounts and hacker’s accounts for public scrutiny. This will give all buyers real-time information about suspicious accounts and the ability to cross check if the seller is on the list before they buy. Evidence such as a police report can be requested later on from the victim to prove the reported accounts are indeed compromised.
Some of these measures might create false alarms and inconvenience. But given it is a race of time against the hacker when it comes to preventive measures, users would rather be safe than sorry to avoid becoming the next victim.
Common misconceptions about crypto hacking
A common misconception about crypto hacking is that “this won’t happen to me because my security awareness is high and I use a hard wallet”. It might be true that a direct malicious hack could be avoided through good security practice, but anyone could become an indirect victim of a hack targeting someone else. When the number of hacks increases, the chance of becoming an indirect victim is also much higher.
Another misconception is “as long as I don’t keep too much money in my hot wallet, it doesn’t matter if the wallet is compromised”. What most of the users fail to realise is that monetary loss is only one part of the repercussion from the hack. Losing a web3 wallet is like losing the entire credit history. Any future benefits based on past activities such as airdrops or access to loans and leverage could also evaporate with the compromised wallet.
Although blockchain is one of the most secure financial technologies ever created, malicious hacks toward crypto-based platforms are the greatest threat to the Web3 venture.
Given blockchain’s irreversible nature and OpenSea’s lack of preventive security measures, it is not hard to see the best solution OpenSea came up with after the Ethereum domain auction hack is to offer the hacker a 25% profit from the sale in exchange for the return of the stolen NFTs. Only in the world of the NFT market can a criminal get rewarded rather than punished for such a serious crime.
As the monopoly of the NFT market, OpenSea can certainly do better than this and take security measures more seriously and provide more protection to its users.
The views and opinions expressed here are solely those of the author and do not necessarily reflect the views of Cointelegraph.com. Every investment and trading move involves risk, you should conduct your own research when making a decision.
Ray Schuetz received a Masters Degree in computer science from The University of Texas (Austin). Ray has been working as a full-time blockchain consultant for the past 3 years. In his spare time, Ray enjoys writing for EthereumCryptocurrency.com and other crypto news publications.