The largest brands in the world are jumping into NFTs:
- Coca-Cola: #6 on the Forbes brand list
- Disney: #7
- Louis Vuitton: #9
- McDonald’s: #10
- Nike: #13
- Visa: #18
- Budweiser: #21
That’s a third of the world’s Top 21 brands. Each of these companies has an active cybersecurity group but were they involved with vetting their NFT minting process? I certainly hope so but since NFTs are often considered a marketing project they may not be on the radar of the CISO office or purchasing group.
NFT projects can be hacked and there is no recourse. Unlike traditional accounts where funds can be recovered and centralized services can restore your hacked account, blockchain transactions cannot be un-done as there is no authority with the necessary power. There were hundreds of blockchain hacks in 2021 leading to four to fourteen billion in losses (depending on how you count), and the majority of them came from stealing private keys. In January 2022 hackers stole $18m from Lympo by compromising the private keys of 10 different NFT minting projects. A month earlier $140m was stolen from NFT gaming company Vulcan Forged by compromising 96 private keys.
Private keys are used everywhere in corporate IT security. Corporations have budgets for managing them, leveraging solutions from companies like IBM, KeyFactor, and Venafi. Private keys are even more important in blockchain given the irreversible nature of transactions. If someone steals your private key, they have complete control of your blockchain account. Unfortunately there aren’t the same solutions and security practices in blockchain as there are in corporate IT.
How does this relate to NFTs?
In the NFT world, the account you use to sign NFTs is your public identity on the blockchain. The biggest NFT marketplaces in the world identify you based on your private key. So what happens if an NFT private key gets stolen? First, all your crypto in the account will be stolen. If you receive commissions on secondary sales, these commissions will go to your now-compromised account and be siphoned off. More importantly though, the thief can now masquerade as you on the blockchain. They can mint anything they want using your brand and marketplaces will not know. This can cause significant damage before the theft is flagged. Imagine pornographic images minted with a private key associated with Disney, or Burger King NFTs minted with a McDonald’s key. Hackers are pretty creative.
Individual vs. Corporate NFT Security
For individuals, the solution to preventing private key theft is to use a properly set up hardware wallet for creating and storing a signing key. Our Root of Provenance service for individuals makes sure this is done correctly. However, what about corporations? The security risks of a corporate signing key are more complex so the solution needs to be different as well.
The main difference between an individual and a corporation is that an individual would never act maliciously towards themselves. Why would an individual mint an NFT that reflects poorly on them? Corporations are different as they are run by individuals who might be working adversely to the corporation (e.g.- whistleblowers). Even if an employee were not acting maliciously their credentials could be compromised (e.g.- phishing attack) and used to steal the NFT signing key. Twitter was attacked using compromised employee credentials and the hacker was able to tweet a fraudulent link from the Twitter accounts of influential people like Elon Musk.
Protecting against attacks on or by employees is called “access control policy” in corporate security, because access to valuable resources need to be controlled in a way that mitigates the risks. In the blockchain world, the most common type of access control is utilization of a “multisig” wallet. Multisig wallets require more than one signature to authorize a transaction. This way a single disgruntled employee cannot unilaterally mint an NFT on behalf of the corporation- multiple employees are needed to do so.
How Corporations Can Prevent NFT Attacks
There are a few techniques that can be leveraged to protect corporations from NFT access control attacks:
- Multisig Smart Contracts: Multisig smart contracts such as Gnosis Safe are used by developers to add multisig protection to the management of custom smart contracts. Instead of sending a transaction to a contract using a single wallet, developers can create a multisig contract that sends the transaction to the contract. The multisig contract can be configured to send a transaction only when the correct number of wallets have approved the transaction. Unfortunately, these solutions may not be compatible with current NFT minting solutions (like OpenSea for example).
- Custom NFT Contracts: If current minting solutions do not support multisig smart contracts, build your own minting solution. This requires writing a new or modifying an existing NFT smart contract to require multiple signatures for minting or making the first transfer of an NFT. Once the NFT has been transferred it can act like a standard NFT without multisig so it can be listed on existing marketplaces.
- Wallet Access Control: For the ultimate compatibility with existing NFT tools and marketplaces, you can integrate access control into a single hardware wallet. For example, you can store the wallet in a safe that requires multiple combinations to open. Or, you can split up a wallet PIN so that no single individual knows the complete PIN number- more than one person is required to enter the complete PIN to approve transactions.
Which technique to use depends on a corporation’s NFT strategy as well as their current cybersecurity and access control policies. The first two techniques are highly dependent on the NFT implementation and Wivity can help craft an appropriate solution. For the third technique Wivity has developed process templates that corporations can leverage to manage access control.
Whether you’re a corporation that wants to mitigate the risks associated with minting NFTs or an NFT platform that wants to ensure their minting process is secure, please reach out to see if our solutions can help.