Cybersecurity firm Sayfer has identified a new threat affecting around 10% of all NFT projects.
According to Sayfer, the so-called BadReveal vulnerability attacks the minting process of NFTs, which are meant to be generated randomly. The firm warned that an attacker could claim the best and most valuable NFTs at launch before reselling them for great profit on the secondary market, by exploiting the BadReveal bug.
Sayfer says that tokens are minted blindly in most of the NFT projects, to ensure a fair distribution of NFTs. The rarity traits of these NFTs can differ greatly. Within days of the mint being completed, the ‘reveal’ occurs whereupon the metadata is made public and buyers can ascertain the characteristics of their NFT. Sayfer mentioned: if an attacker somehow manages to access the metadata before it is revealed, they could use this information to snap up valuable unrevealed NFTs.
While analyzing the code for leading NFT projects, Sayfer researchers found that many of them entail two different transactions in the reveal process. The project owner first sets the unique metadata for the reveal and then later reveals the data to the public. In the time between these two transactions, which is typically hours or even days, a skilled attacker can scan all NFT metadata in the project and pinpoint the rarest tokens.
Sayfer found the vulnerability in dozens of projects whose codebase it assessed, and believes it is replicable in thousands more. Its team has stated that since there is no way to automatically test for the presence of the BadReveal vulnerability, NFT projects should commission a security audit prior to launch. This will give the community faith in the integrity of the minting process and ensure a fair distribution of NFTs to owners who will become passionately involved with the project.
Sayfer is a cybersecurity company which offers solutions to prevent major security breaches. Sayfer specializes in offensive defense by leveraging approaches that imitate the attacker’s behavior. Through reverse-engineering and vulnerability research, the company is able to find novel security breaches in projects and prevent the attackers from threatening the system.
Read also: United States Offers $10M Reward In Cryptocurrency For Cyber Threats Info