NIST has published the final version of Internal Report (IR) 8472, Non-Fungible Token Security. We’ve broken down the key takeaways from NIST’s Internal Report 👇

Background

Blockchain

Blockchains are digital ledgers that are tamper-evident and resistant, implemented without a central repository, often operating without a central authority. They consist of cryptographically signed transactions grouped into blocks, which are cryptographically linked to previous ones, ensuring data integrity and resistance to modification.

Smart Contracts

Smart contracts are collections of code and data deployed on the blockchain network, facilitating automated, secure transactions and state management without intermediaries. They are executed by nodes within the blockchain network, ensuring consistent results across the network.

Tokens

Tokens are digital representations of assets, managed by smart contracts on a blockchain. They can be fungible, with identical tokens being interchangeable, or non-fungible (NFTs), where each token is unique and represents a distinct asset or property.

NFT Definition

A Non-Fungible Token (NFT) is an owned, transferable, indivisible data record on a blockchain, representing a digital or physical asset. Unlike fungible tokens, NFTs are unique, with each token linked to a specific asset, managed by a smart contract.

The 11 Properties of NFTs

NFT properties derive from their definition and are provided by smart contracts, the underlying blockchain, and human management.

1. Owned: Ownership is designated by recording a blockchain address within the NFT.
2. Transferable: NFTs can be transferred between owners or approved entities.
3. Indivisible: NFTs cannot be subdivided, maintaining their uniqueness.
4. Linked: Each NFT is linked to a specific asset it represents.
5. Recorded: NFT transactions and data are recorded on the blockchain.
6. Provenance: The history of NFT ownership is traceable via the blockchain.
7. Permanence: NFTs are designed to be indestructible on the blockchain.

8. Immutable: The asset an NFT represents cannot be modified.
9. Unique: Each NFT is unique, representing a specific asset.
10. Authentic: The authenticity of the asset is claimed by the NFT.
11. Authorized: The asset’s sale as an NFT has been authorized by its owner.

Strengthening DeFi Against Insolvency Risks

1. Ownership Confusion: Buyers might believe they’re purchasing an asset, not an NFT.
2. Unauthorized NFT Creation: Smart contracts may link NFTs to assets without legal authority.
3. Account Compromise: Theft of blockchain account keys can result in NFT theft.
4. Immediate Sale of Stolen NFTs: Thieves quickly sell stolen NFTs for cryptocurrency.
5. Lack of Restoration Mechanisms: Stolen tokens often cannot be restored.
6. Potential Confiscation by Contract Managers: Managers could misuse their power to transfer tokens.
7. Future Manager Privileges: Updates to smart contracts could grant new powers to managers, including transferring tokens.
8. Smart Contract Vulnerabilities: Coding errors could allow token theft.
9. Fractional Ownership Risks: Additional smart contracts for fractional ownership increase attack surfaces.
10. Forced Buyout Unawareness: Fractional owners may not realize they can lose shares through forced buyouts.
11. Delinking Risk: Incorrect metadata can render an NFT worthless.
12. Server Failure: External data hosting failures can delink NFTs.
13. Compromise of Off-Blockchain Link Tables: Attackers can alter NFT linkages.
14. Owner-Initiated Delinking: Table owners can intentionally delink NFTs.
15. Public Information Unawareness: NFT ownership data is public.
16. De-Anonymization Risks: Blockchain accounts can be traced back to individuals.
17. Blockchain History Alteration: Attacks could modify blockchain history.
18. NFT Burning: Sending NFTs to inaccessible addresses effectively destroys them.
19. Self-Destructing Smart Contracts: Contracts could be programmed to destroy themselves.
20. Data Record Alteration: Vulnerabilities might allow changes to NFT data.
21. Immutability Exceptions: Consensus or forks can alter blockchains.
22. Chain Splits: Forks can duplicate NFTs across blockchains.
23. Non-Unique Asset Linking: Multiple NFTs can link to the same asset.
24. Simultaneous Sales on Multiple Exchanges: The same asset can be sold as different NFTs.
25. Forged or Misattributed Assets: NFTs might misrepresent asset authenticity.
26. Unauthorized Sales: Sellers might not have the right to sell the NFT.
27 Misunderstood Purchase Rights: Buyers might not receive the expected rights over the asset.

Marketplaces and Exchanges

NFT marketplaces facilitate the trading, creation, and sale of NFTs, offering various buying mechanisms and requiring attention to wallet security. The choice between decentralized and centralized custody models influences risk and user responsibility.

Conclusion

NFTs provide a secure method for representing and transferring ownership of unique digital and physical assets. However, their implementation and ecosystem are subject to a range of security vulnerabilities. Addressing these concerns through systematic security approaches is crucial for maintaining the integrity and trustworthiness of NFT technology.