NFT Project Audit Overview
NFT is the abbreviation of “Non Fungible Token” in English, which translates to non-fungible token. An NFT can be understood as a unique unit of data stored on the blockchain [1]. Whenever we talk about NFT tokens, we will naturally draw an analogy with the common ERC-20[2] token. But there is a difference between NFT tokens and ERC-20 tokens. The difference between the two is that any two NFT tokens are different from each other and are not interchangeable, that is, they are not qualitative. Therefore, operations related to NFTs (such as transactions, etc.) are significantly different from those of ERC-20 tokens and other homogeneous Crypto assets (such as Bitcoin , Ethereum ).
In recent years, a new ecology has grown with NFT as the core, and this ecology will develop particularly rapidly in 2021. However, while the ecology is developing rapidly, security issues in the ecology frequently appear. When the industry examines these security issues, it is often compared to the security issues in the ERC-20 token ecosystem, but the security issues in the NFT field have their own characteristics and differences. However, these characteristics and differences have not been systematically paid attention and researched by the industry.
The security issues in the NFT ecology have been boldly explored and studied by scholars in the academic world, such as the paper co-authored by D. Das, P. Bose, N. Ruaro, C. Kruegel and G. Vigna [3]. However, in the process of practice and specific implementation, there is a lack of in-depth discussion and research on how to review NFT security issues, what process review, what measures to prevent, and from which angles to prevent.
Based on its accumulated professional knowledge and practical experience in auditing NFT projects, the Fairyproof research team has summarized a set of systematic and comprehensive solutions. Here, we would like to discuss and communicate with colleagues in the industry and those who are concerned about the development of this field.
If an item, application or service interacts with NFT, we regard it as an NFT item, NFT application or NFT service. If an application or service interacts with NFT, we regard this application or service as a member of the entire NFT ecosystem. All of these applications and services together make up the NFT ecosystem we see today.
In this ecosystem, according to the technical role played by each member, we divide them into four categories: blockchain for NFT token deployment, NFT token implementation contract, and core applications for implementing business logic and processes , An application or service that assists NFT work.
For the audit of NFT projects, these four types of members all need to pay attention and review. If the blockchain deployed by the NFT cannot work properly, the project will lose its foundation; if there is a problem with the implementation contract of the NFT token, the NFT will not work properly, and the project will lose its core; if there is a problem with the business logic and process design of the project , then the project will only be left with a lifeless NFT token; if the application or service that assists the NFT work does not work properly or the project does not select a suitable auxiliary application or service, the NFT will not be able to fully utilize its potential.
Therefore, the security and auditing of these four are indispensable and cannot be ignored. In the next chapters of this article, we will discuss the security and auditing of these four.
Audit of the blockchain
For the blockchain deployed by the NFT project, if it is a relatively mature blockchain (such as Ethereum), under normal circumstances, there is no need to audit it, and this step can be skipped. Because the mature blockchain has been developing and growing over the years, and has gone through the challenges and tempering of various security incidents, it has a relatively reliable guarantee and credit in terms of security. If the blockchain it deploys is nascent, theoretically, the audit of the blockchain cannot be ignored.
The auditing of blockchain is relatively mature in the industry. The methods, methods, processes and key points and difficulties of such audits are already relatively skilled business and fields for blockchain security companies including Fairyproof. This type of audit is not new to the industry and security companies.
Audit of NFT implementation contracts
The implementation of NFT tokens is technically similar to common ERC-20 tokens, and consists of one or more smart contracts. However, since the token standards (such as ERC-721[4] and ERC-1155[5]) on which NFT implementations are based are different from ERC-20 homogeneous tokens, the problems that may arise in NFT tokens are also different from those of ERC- 20 tokens are slightly different. One of the typical problems is whether the NFT’s issuance function uses a suitable random number when it is implemented. If the random number used is not suitable, the NFT may suffer from a “rollback” attack when it is issued, that is, users can continuously roll back transactions until they obtain their preferred NFT. Therefore, the audit of NFT implementation contracts is also slightly different from the audit of ERC-20 contracts, which is mainly reflected in the differences in focus, emphasis and difficulty.
In this regard, Fairyproof systematically summarizes its experience in practice and develops a set of automated audit tools that can quickly locate risk points in NFT contracts and eliminate potential risks.
Audit of core business logic applications
The core business logic application we refer to here mainly refers to the part that implements business logic in an NFT project. This part of the application will interact with various NFT tokens.
Applications that implement business logic in an NFT project can usually be divided into two categories:
One is typical Internet 2.0 applications. Its interaction with NFT in the project and the business logic implemented are relatively simple, usually only involving some simple NFT operations, such as NFT issuance, NFT transfer, etc. The “PFP”[6] project[7][8], which is very popular in recent years, belongs to this category.
The other category is a comprehensive application that includes Internet 2.0 applications and blockchain smart contracts. The NFT operations involved in such comprehensive applications are much more complex. In addition to simple NFT issuance and transfer, there are also the management of NFT tokens, the mortgage of NFT tokens, and so on. The largest applications in the NFT ecosystem, such as trading platforms [9][10], are of this type.
Although these two types of applications are different in complexity, they both show some unique commonalities compared with applications based on ERC-20 tokens, and these commonalities are also common to NFT applications.
These commonalities are mainly manifested in: first, the on-chain operations involved in NFT applications are not as complicated as those involved in ERC-20 token applications (such as DeFi applications [11][12]); secondly, many NFT applications are aimed at non-technical people. , and some of these users don’t even have knowledge of blockchain and don’t understand blockchain-based cryptocurrencies.
Therefore, in order to allow a large number of users in non-professional fields to use and participate in NFT projects without any obstacles without knowledge of blockchain or Crypto currency, many development teams will spend a lot of energy and resources to design and optimize the user interface, so that It is more in line with the habits that users have established in Internet 2.0 applications. This naturally makes some projects follow the technologies and processes of Internet 2.0 applications in the process of design and development [9][13]. On the one hand, this lowers the user threshold and makes it easier for new users to enter the NFT field; but on the other hand, it also makes these NFT applications tend to be too centralized. This tendency to be too centralized exists not only in the technical implementation of the application, but also in the business logic and process.
What we want to emphasize here is: what problems may exist in the existing NFT applications involving business logic and processes, whether there are some unknown hidden dangers, etc., which have not yet attracted enough attention and attention from practitioners in the industry, especially in the security field. Research. For example, in many popular NFT trading platforms, KYC has not been mandatory, let alone resolutely enforced. In this case, how to prevent security incidents and track and locate the identity of hackers; “Authenticity” verification is only optional on most trading platforms, not a mandatory item. In this case, how to prevent users from entering fake projects by mistake; and for the NFT original team to set and collect transaction dividends (royalty) Are there security loopholes and hidden dangers, fraud and injustice in the processes and methods currently adopted by various platforms? ……
The development and research on the above-mentioned issues have rarely been mentioned in the industry, let alone conducted in-depth discussions.
In this regard, Fairyproof has been conducting follow-up research and exploration, and has accumulated and summarized experience in these areas, and developed a comprehensive framework and system, which can provide constructive opinions and practical solutions to practitioners in the NFT field. .
Audit of ancillary services or applications
The auxiliary service or application mentioned here refers to the service or application that helps the NFT to give full play to its functions or features. A typical example is a service or application that stores metadata [14] for NFT.
PFP projects emerging in 2021 make use of ancillary services or applications. Such typical NFT projects tend to issue a certain constant number of NFTs, each NFT has a unique picture, and each picture contains a combination of various features. For each NFT, this image is its metadata.
These pictures are often carefully designed and unique in order to attract users to buy and hold, so the preservation and display of pictures is very important for such NFT projects. Many projects are designed with various schemes in mind to keep images as permanent as possible. Therefore, what kind of services or applications can provide reliable and stable permanent storage is the focus of these project parties.
At present, the common storage solutions in the industry mainly include decentralized storage applications and centralized storage applications. The former are typically IPFS [15], Arweave [16] and so on. The latter mainly includes Amazon cloud [17] and so on.
However, not all of these storage solutions can provide permanent storage off-the-shelf, some can provide permanent storage but at a high cost, and some can only provide temporary storage that is charged on time, each with its own advantages and disadvantages. Therefore, how to use one or more solutions to combine and build a set of services that can be permanently stored is a problem that project developers must consider.
But when the project party considers using these solutions, what problems may exist in these solutions themselves? What safety hazards or potential risks may exist when these solutions are used in combination? How to avoid and prevent these hidden dangers or potential risks? The discussion and research on these issues has so far been rather limited.
Fairyproof has been paying attention to research and exploration in this field since its establishment, especially what difficulties and priorities may exist in security practice. Based on our own accumulation and practice, we have explored and developed a set of systematic solutions to evaluate and review NFT auxiliary services or applications, and developed and deployed a comprehensive set of processes and systems to review these auxiliary services or applications in various The potential safety hazards and potential risks that may exist in the practice program.
The audit of NFT projects is not only the audit of NFT smart contracts, it is a systematic project and a set of comprehensive processes. It is necessary to comprehensively examine the NFT itself, its core business logic and the surrounding applications and infrastructure from an ecological perspective. and ancillary services.
Fairyproof has been and will continue to pay close attention to the development of the NFT ecosystem, persevere in in-depth research on security issues in this field, continue to expand and explore the latest developments in the field based on the established mature framework, and continue to share with the industry our knowledge of cutting-edge issues thinking and forward-looking judgment.
references:
[1] Non-fungible token, https://en.wikipedia.org/wiki/Non-fungible_token, Feb 22, 2022
[2] ERC-20 Token Standard, https://ethereum.org/en/developers/docs/standards/tokens/erc-20/
[3] Understanding Security Issues in the NFT Ecosystem, https://arxiv.org/abs/2111.08893, Jan 19, 2022
[4] ERC-721 Non-fungible Token Standard,
https://ethereum.org/en/developers/docs/standards/tokens/erc-721/
[5] EIP-1155: Multi Token Standard, https://eips.ethereum.org/EIPS/eip-1155
[6] A Beginner’s Guide to Understanding PFP NFTs,
https://medium.com/geekculture/a-beginners-guide-to-understanding-pfp-nfts-8714e9d30d0b, August 29, 2021
[7] CryptoPunks, https://www.larvalabs.com/cryptopunks
[8] BAYC, https://boredapeyachtclub.com/#/
[9] OpenSea, https://opensea.io/
[10] Rarible, https://rarible.com/
[11] Curve, https://curve.fi/
[12] MakerDAO, https://makerdao.com/
[13] Nifty Gateway, https://niftygateway.com/
[14] metadata, https://csrc.nist.gov/glossary/term/metadata
[15] IPFS, https://ipfs.io/
[16] Arweave, https://www.arweave.org/
[17] AWS, https://aws.amazon.com/
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.