Analysis of Common Issues in NFT Contract Security Audits

In the first half of 2022, multiple security incidents occurred in the NFT sector, resulting in losses of approximately $64.9 million. The main attack methods included contract vulnerability exploitation, private key leakage, and phishing. These incidents highlight the importance of security audits for NFT contracts.

Review of Typical Security Incidents

1. TreasureDAO incident: A logical vulnerability caused by the mixed use of ERC-1155 and ERC-721 tokens allowed attackers to purchase NFTs for 0 tokens.

2. APE Coin airdrop event: The airdrop contract used an instantaneous state that could be manipulated by flash loans to determine NFT ownership, allowing attackers to borrow NFTs and receive the airdrop.

3. Revest Finance Incident: ERC-1155 reentrancy vulnerability allowed attackers to mint FNFTs repeatedly, resulting in losses of approximately $120,000.

4. NBA project exploit incident: The signature verification in the contract has issues of forgery and reuse, allowing attackers to reuse or forge signatures.

5. Akutar incident: A contract logic vulnerability led to approximately $34 million in assets being locked, primarily because the possibility of users bidding on multiple NFTs was not considered.

6. XCarnival Incident: A logical vulnerability in the contract allowed attackers to repeatedly use invalid collateral records for borrowing, resulting in a loss of approximately $3.8 million.

Common Issues in NFT Contract Audits

1. Signature forgery and reuse

   • Lack of duplicate execution verification, such as user nonce
   • Signature check is unreasonable, such as not checking the case where the signer is a zero address.

2. Logical Vulnerability

   • The administrator can bypass the total supply limit to mint coins.
   • There is a risk of transaction order dependency attacks during the auction process.

3. ERC721/ERC1155 Reentrancy Attack

   • The use of the transfer notification feature may lead to reentrancy attacks.

4. The scope of authorization is too broad

   • Require global authorization instead of single token authorization, increasing the risk of NFT theft.

5. Price manipulation

   • NFT prices depend on manipulable external factors, such as token holdings.

These issues frequently arise in actual attacks, highlighting the necessity of professional security audits. Project teams should prioritize contract security and seek professional organizations for comprehensive audits to reduce security risks.