NFTs explained: daylight robbery on the blockchain

Did you hear about the JPG file that sold for $69 million?

I’ll give you some more detail, the JPG file is a piece of digital art made by Mike Winkelmann, the artist known as Beeple. The file was sold on Thursday by Christie’s in an online auction for $69.3 million. This set a record for artwork that exists only digitally. Which for many people raised the question: what’s to stop me from copying it and becoming an owner as well? After all, digital files can be copied ad infinitum, with no loss of quality.

Which is where non-fungible tokens (NFTs or “nifities”) come in. NFTs are the latest, most eyebrow-raising use of blockchain technology.

Non-fungible means the token has unique properties so it cannot be interchanged with something else. Money, for example, is fungible. You can break down a dollar or a bitcoin into change and it will still have the same value. An artwork is more like a house, each one is unique and can’t be broken into useful fractions. (Although for houses sometimes it is only the location that makes it different from its neighbors.)

But I made the analogy because for houses we have a ledger to keep track of who owns the house. If you want to know who owns a house, you look it up in the ledger. You can think of an NFT as a certificate of ownership for a unique object, virtual or tangible.

Art and technology

While the combination of art and technology may have sounded strange a century ago, nowadays they are no longer a rare combination. The first use of the term digital art was in the early 1980s when computer engineers devised a paint program which was used by the pioneering digital artist Harold Cohen. This became known as AARON, a robotic machine designed to make large drawings on sheets of paper placed on the floor.

Andy Warhol or David Hockney may be more familiar names, even for those that are not that into art. Andy Warhol created digital art using a Commodore Amiga where the computer was publicly introduced at the Lincoln Center, New York in July 1985. Hockney is huge fan of the iPad.

Art and NFTs

The maintenance of the digital ledger to keep track of who owns a digital work of art is done using blockchain technology. Blockchains make it almost impossible to forge records.

Copies of the blockchain are kept on thousands of computers and each item in the blockchain is cryptographically linked to every item that comes after it. Forging a record in a blockchain ledger means re-doing the transaction you want to forge, and every subsequent transaction, on a majority of all the copies in existence, at the same time.

Unlike bitcoins, each NFT is unique and can contain details like the identity of its owner or other metadata. NFTs also include smart contracts. Smart contracts store code instead of data in a blockchain, and execute when particular conditions are met. An example of an NFT smart contract might give an artist a percentage of future sales of their work.

But to answer the original question, this doesn’t stop anyone from copying a digital masterpiece and enjoying it at home. The NFT ledger only shows who the owner of the original is.

Stolen NFTs

Even though the blockchain technology itself is secure, the applications that are built on or around it, such as websites or smart contracts, don’t inherit that security, and that can cause problems.

Users of the digital art marketplace Nifty Gateway reported hackers had taken over their accounts and stolen artwork worth thousands of dollars over the weekend.

victim complaining on Twitter

Someone stole my NFTSs today on @niftygateway and purchased $10K++ worth of today’s drop without my knowledge. NFTs were then transferred to another account.

Some victims reported that the digital assets stolen from their accounts were then sold on the chat application Discord or on Twitter. The underlying problem, according to many claims, was that the thieves hacked the owner’s accounts. They then used the accounts to sell, buy, and re-sell NFTs.

This is possible because blockchain security is designed to prevent forgery, not theft. If somebody steals your NFT and sells it, the blockchain will faithfully record the sale, irreversibly.

Art turned into NFT without the artist’s knowledge

Some artists are reporting their work has been stolen and sold on NFT sites without their knowledge or permission. In some cases, the artist only learned about the theft weeks or even years later, having stumbled upon their work on an auction site. The people creating the NFT had no ownership and probably just copied the artwork from the artist’s website.

Identifying the original file

The way NFTs are set up now they depend too much on URLs that might end up broken at some point in time. Or get hijacked by some clever threat actor. Jonty Wareing did an analysis on how Nifty references the original and was not impressed. He expressed his concerns on Twitter. He found the fact that both the NFT token for the json metadata file as well as the IPFS gateway are defined by URLs set up by the seller. IPFS is a distributed system for storing and accessing files, websites, applications, and data.

The NFT token you bought either points to a URL on the internet, or an IPFS hash. In most circumstances it references an IPFS gateway on the internet run by the startup you bought the NFT from.

Which means when the startup who sold you the NFT goes bust, the files will probably vanish from IPFS too

Problems with art and NFTs

The reported crimes are made possible by three apparent flaws in the way the system was set up.

  • It is possible to create more than one NFT for the same work of art. This creates separate chains of ownership for the same work of art.
  • If no NFT exists for a certain work of art, creating one does not require you to be the owner. This creates false chains of ownership.
  • The references defining the original depend too heavily on URLs that are vulnerable and could vanish at some point.

To circle back to our analogy with real estate, the only way a ledger can be expected to give an accurate account of ownership is by having one central ledger that checks whether the first owner did buy the object directly from the creator. The creation of such a new ledger should also include a check whether there is not an existing registration for the same object to avoid creating a duplicate. And for digital files we need a better way to define them. Storing URLs in the blockchain will protect the URL and not the underlying file.

The post NFTs explained: daylight robbery on the blockchain appeared first on Malwarebytes Labs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source