NFTs (Non-Fungible Token) have burst into popularity in the cryptocurrency space. An NFT is, at its core, a piece of data stored on a blockchain, a unique physical or digital item, such as works of art, real estate, music, or videos. But the ownership of that data, similar to the ownership of a real art piece, can change. Some NFT projects use NFT drops, a process by which a user mints an NFT but doesn’t know what they’re receiving beforehand. Only after the owner reveals the unique metadata that each of the pieces has, can the buyer asses if they now own a rare NFT like an actual rare Van-Gogh piece or an NFT more similar to a Van-Gogh postcard anyone can purchase in the gift shop.
Cyber risks of NFT projects can take many forms and shapes. Most believe that if your NFT wasn’t stolen you didn’t get hacked, but what if you were supposed to get the rarest NFT in the deck, but an attacker was smart enough to buy it before you? You got hacked without even knowing it. A new exploit found by Sayfer researchers enables attackers to know what is the rarest NFT before the reveal of the project. This allows an attacker a unique advantage amongst investors to buy the rarest and most expensive art piece. In some projects, the rarest piece can be fifty times more expensive than the standard piece.
Commonly, in an NFT project with a revealing step, tokens get minted blindly, and once everything has been minted, NFTs are revealed, and their metadata gets public. if an attacker somehow manages to get the metadata before it was revealed and uses this data to buy the rarest NFT, he or she gets an unfair benefit and gains more profit than all the other buyers by exploiting this data. By going over the code of the project step by step Sayfer researchers found that many projects have two different transactions in the reveal process. Simply put, the project owner first sets the unique metadata for the reveal and after some time actually reveals the data to the public. In the time between these two transactions, which sometimes can be hours, a skilled attacker can scan all NFTs metadata in the project and find which piece is the rarest.
The vulnerability occurs because of bad coding practices. It was found in dozens of projects, possibly existing in thousands more. So what should you do if you own an NFT project or want to invest in an NFT project and you want to mitigate your risks? Firstly, there is no way to automatically test BadReveal practices. Thus, If you want to know if a project you want to invest in or already invested in, is vulnerable to BadReveal you should invest in a manual audit of the project. Secondly, if you are the owner of the project since the essence of the BadReveal vulnerability relies on the advantage the attacker has between setting the token URI transaction to the reveal transaction, the mitigation would be to combine the two into one transaction.