The nonfungible token (NFT) market has been booming since the summer of 2021 and as NFT prices skyrocketed, so too did the number of hacks targeting NFTs.
The most recent high-profile hack siphoned approximately 600 Ether (ETH) worth of NFTs from Arthur0x, the founder of DeFiance Capital, which were then sold on OpenSea.
A 2022 Crypto Crime Report published by Chainalysis highlighted that the value sent to NFT marketplaces by illicit addresses jumped significantly in 2021, topping out at just under $1.4 million. There was also a clear increase in stolen funds sent to NFT marketplaces.
Given the concerning rapid increase in illicit value flowing into the NFT platforms, it is natural to ask whether security measures and procedures are in place and if so, whether these measures are effective in protecting owners.
Let’s take a look at OpenSea, the largest NFT platform, and its security measures.
The security measures at OpenSea cannot protect users
OpenSea has two main security measures that kick in once an account has been “hacked” — locking the compromised account and blocking the stolen NFTs. These two measures are very ineffective when looking at them closely.
Locking the account can be done on the OpenSea website without human approval as shown here, whereas blocking the NFTs involves a lengthy process of raising a ticket and waiting for the OpenSea help team to respond.
In a situation where a hacker has already compromised the wallet and is in the process of transferring the NFTs out, locking the account will only be effective if it’s done before the hacker transfers everything out.
Similarly, blocking the NFTs is also only effective before the NFTs are sold to another buyer by the hacker. What’s even worse is this security measure creates a series of indirect victims who end up with blocked NFTs that cannot be sold or transferred. This is because the response time for tickets raised in OpenSea is at least one day. By the time the NFTs are blocked by OpenSea, they would have already been sold to another buyer who now becomes the new victim of the crime.
In the case of the 17 stolen Azuki from Arthur0x, 15 were stolen within the same minute and two were stolen three minutes later. The average time these stolen NFTs stayed in the hacker’s wallet before they were sold is 43 minutes. The security measures from OpenSea are in no way responsive and quick enough to inform the victim and stop the hacker; neither can they inform the buyers promptly enough to stop them from buying the stolen NFTs and becoming indirect victims.
Blocking stolen NFTs creates indirect victims
An indirect victim is someone who is not the target of the hack but indirectly suffers from the financial losses caused by the blocking of the stolen NFTs. As seen from many recent NFT hacks, the NFTs are always sold before the block is implemented by OpenSea. The consequence of blocking the NFTs too late is that it creates indirect victims and more losses for more people.
To illustrate in more detail how anyone could end up buying a stolen NFT and become an indirect victim of a hack, here are three common cases:
Case 1: Alice bought an NFT but only found out later that it is a stolen asset. The NFT is blocked and Alice cannot sell or transfer it on OpenSea. She then proceeds to raise a support ticket. After several weeks, the OpenSea Trust & Safety team offers to refund the 2.5% platform fees; and possibly the email address of the victim who reported the theft if lucky. Then, she’ll likely have a lengthy discussion with the victim to negotiate the possibility of lifting the block, which most likely will end up nowhere.
Alice can still sell the NFT in other marketplaces but the volume of sales is very low for this particular collection and there is no buyer who can offer a fair price on platforms other than OpenSea.