Can I Own Your NFTs? Understanding the New Attack Surface to NFTs

Recent years have witnessed the increasing popularity and market value of Non-Fungible Tokens (NFTs), along with the burgeoning of blockchains and metaverse. The media hypes often imply that NFTs are as secure as the underlying blockchains. In this work, we take a first look into the building blocks of NFTs (i.e., ownership certificates stored on-chain and the metadata and digital assets stored on-chain or off-chain), focusing on understanding the new attack surface and safety of these digital assets (rather than the traditional attacks on block-chains). For this purpose, we provide a detailed analysis of the logical structure of the dominant off-chain NFTs, followed by the attack surface analysis. Our study indicates that specific new attacks could be easily mounted on them. To validate our findings, we experiment by minting our own NFTs on Ethereum and demonstrate that we can successfully mount the attacks with trivial or even no cost. The cause of these new attacks is rooted in the current design of NFTs where the digital assets are decoupled from the contracts deployed on the blockchains. We discuss some future research to address these vulnerabilities.