Cybersecurity firm Sayfer has identified a new vulnerability affecting 10% of all NFT projects. The so-called BadReveal vulnerability attacks the minting process of non-fungible tokens, which are meant to be generated randomly. By exploiting the BadReveal bug, an attacker could claim the best and most valuable NFTs at launch before reselling them for great profit on the secondary market.
With most NFT projects, tokens are minted blindly to ensure a fair distribution of NFTs, whose rarity traits can differ greatly. Within days of the mint being completed, the ‘reveal’ occurs whereupon the metadata is made public and buyers can ascertain the characteristics of their NFT. If an attacker somehow manages to access the metadata before it is revealed, they could use this information to snap up valuable unrevealed NFTs.
While analyzing the code for leading NFT projects, Sayfer researchers found that many of them entail two different transactions in the reveal process. The project owner first sets the unique metadata for the reveal and then later reveals the data to the public. In the time between these two transactions, which is typically hours or even days, a skilled attacker can scan all NFT metadata in the project and pinpoint the rarest tokens.
Sayfer found the vulnerability in dozens of projects whose codebase it assessed, and believes it is replicable in thousands more. Its team has stated that since there is no way to automatically test for the presence of the BadReveal vulnerability, NFT projects should commission a security audit prior to launch. This will give the community faith in the integrity of the minting process and ensure a fair distribution of NFTs to owners who will become passionately involved with the project.
Sayfer is a leading consultant cybersecurity company. We make organizations safer with ad-hoc solutions that close the gaps common security products fail to reach. Our clients enjoy fast, bespoke solutions that prevent major security breaches. Sayfer specializes in offensive defense by leveraging approaches that imitate the attacker’s behavior. Through reverse-engineering and vulnerability research, we are able to find novel security breaches in our client’s products and prevent the real bad guys from threatening our clients.
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.
Join more than 100,000 subscribers


Write A Comment