red 
Decentralized finance (DeFi) protocols – which include many non-fungible token (NFT) markets and projects – use smart contracts to manage their transactions and interactions with investors. It is considered good practice to thoroughly review code before it interacts with user assets. However, there is always the potential for a malicious individual to identify a loophole, vulnerability, or malfunction within the layers of code necessary for the DeFi platform to function effectively.
NFT-based DeFi platforms are not immune to these issues and have occasionally been at the forefront of attacked services. Perhaps most notably—the $540 million heist of Axie Infinity’s Ronin Bridge by North Korea’s Lazarus Group—it also underscores the growing threat of sanctioned entities and the vulnerability of platforms based on state-sponsored cybercrime.
In this review of our recently released and free download “NFT and financial crime” In the report, Elliptic explores potential vulnerabilities faced by NFT platforms that could be exploited by criminals or sanctioned entities.
When exploiting NFT projects
Code exploits allow hackers to exploit a flaw in the protocol’s smart contract to transfer funds to their wallets. These do not necessarily include the NFTs themselves, but the underlying smart contracts that govern the operation of their associated protocol or platform.
However, there have been cases where the NFT projects themselves included the wrong code. This can affect the quantity and nature of NFTs minted and – depending on the nature of the exploitation – cause a wider fluctuation in the price floor of the affected assets.
In May 2021, the creators of CryptoPunks (LarvaLabs) introduced Meebits – a collection of 20,000 3D NFTs. However, the Meebit NFT contract had a flaw that allowed investors to return their minted Meebit and try again, allowing exploiters to “brute-force” several mints to obtain the rarest Meebits. One user was found to have minted a particularly rare Meebit using the exploit and sold it for 200 Ether (ETH), which at the time was around $580,000 – 40 times the minimum price.
When exploiting the NFT market
As with other decentralized applications, smart contract markets are prone to code exploitation. This may put NFTs held in escrow by the market at risk or trigger unintended listings, transfers or purchases. Fortunately, confirmed cases of exploit code in the market remain small.
for example, Treasure Marketplace – the Aribitrum blockchain NFT and metaverse gaming platform – suffered an exploit in March 2022 after several hackers successfully found a way to buy NFT for free. A smart contract check on the market to ensure that the requested amount of NFTs was above zero failed, resulting in a total of 154 NFTs being stolen. Almost all were returned after the solution to the problem was announced.
NFT stolen from TreasureDAO Marketplace, with theft transaction (“about 2 months ago”) deleted from item history.
API exploits
Although NFT platforms can interact with blockchains via highly technical smart contracts, most will combine this with a more accessible user interface – or “front-end”. In most cases, transactions initiated through a front-end user interface – such as a website – will be communicated and executed on the NFT platform’s smart contract via an API. Although examples of API exploitation have not been numerous, it is worth noting that they may contain vulnerabilities.
One such exploit hit the popular NFT marketplace OpenSea in January 2022 – where the website showed users that their ads had been canceled even though they remained active on the backend API. This has led to a number of opportunists running old listings for high-value NFTs, buying them for a fraction of their actual value at the time. One user made over $800,000 in profit after flipping the NFTs they acquired through this exploit.
Airdrop exploits
Occasionally, an existing NFT project may attempt to maintain its popularity or increase NFT prices by launching a release for more project rewards to its community. NFT-specific airdrops can operate on a “tokens per NFT” basis. They allow users to request an airdrop based on their NFT ownership within a specific collection. Depending on how they are coded or organized, exploiters can find ways to participate in airdrops they are not entitled to or claim more tokens/NFTs than intended.
In March 2022, Yuga Labs launched an airdrop for ApeCoin (APE), which Bored Ape NFT holders could redeem. On March 17th, an exploiter used a quick loan to borrow five Bored Apes that had not yet been redeemed for their ApeCoins, meaning that the exploiter was able to call the ApeCoin contract and get over 60,000 APEs from them before returning the NFTs – all within the same transaction. The exploiter made a profit of 1.1 million dollars.
How one transaction achieved airdrop leverage of $1.1 million in ApeCoin and ETH.
Social engineering and private key compromises
The final threat – and perhaps the most serious in terms of lost funds and exposure to sanctioned entities – is a social engineering attack. In order to access developer privileges and maliciously modify smart contracts in their favor, fraudsters need to access the private keys of project administrators.
In most cases, they are obtained through social engineering efforts that culminate in developers inadvertently revealing them to exploiters. In 2020 and 2021, private key compromises led to the theft of $260 million – across both fungible and non-fungible DeFi protocols.
On March 29, 2022, the Lazarus group from North Korea managed to use social engineering techniques to take control of five of the nine validators of Ronin Bridge, which is used to access the popular blockchain game. Axie Infinity. He used his transaction control to authorize the theft of 173,600 ETH and 25.5 million USDC from the bridge.
The heist led to several sanctions updates from the US Treasury, including those against popular mixers Blender.io and Tornado Cash. These actions highlight the sanctions risks and state-sponsored cyber threats that NFT protocols face. Markets require effective blockchain analytics solutions to ensure they mitigate the risk of processing transactions originating from such entities.
The Elliptic Investigator shows the Lazarus Group’s laundering pattern after the Ronin heist, indicating that most of the funds were transferred through intermediary wallets to the now-sanctioned Tornado Cash.
Overcoming the risk of sanctions
Our Elliptic Lens wallet verification solution and Elliptic Navigator transaction monitoring solution allow you to check against the sanctions list to ensure you’re avoiding working with blocked entities and addresses – and verify that the wallet holds any funds originating from them. Elliptic Investigator can be used to easily plot the movement of wallets originating from sanctioned addresses. This ensures that NFT-based services remain safe from processing any malicious purchases of NFTs from sanctioned individuals and entities.
You can also download Elliptic’s “Cryptocurrency Sanctions Compliance” a guide to case studies and examples of how to use blockchain analytics for OFAC compliance.
