API Exploits: A Common Attack in NFT Marketplaces

Overview

In the context of NFTs, an API is defined as a set of rules and protocols that allow software applications, including websites and mobile apps, to interact with and access data from NFT marketplaces, blockchain networks, and related services.

API exploits in NFTs refer to vulnerabilities or weaknesses in the APIs used by NFT platforms or services. These exploits can be exploited by malicious actors to gain unauthorized access, manipulate data, or disrupt the functioning of NFT platforms.

Here are some common API exploits in the NFT space:

1. Authentication Bypass: A common exploit involves finding weaknesses in the authentication process of an NFT platform’s API. If an attacker can bypass authentication, they may gain unauthorized access to user accounts, NFT collections, or other sensitive data.
2. Data Manipulation: Attackers may attempt to manipulate the data sent through an NFT platform’s API. This can include altering metadata, pricing information, or ownership records to deceive users or gain financial advantages.
3. Rate Limiting and Throttling Bypass: NFT platforms often implement rate limiting and request throttling to prevent abuse of their APIs. Exploits that circumvent these limitations can lead to API overload, service disruptions, or unfair advantages in trading or minting NFTs.
4. API Key Exposure: If an API key used for authentication is exposed or leaked, malicious actors can use it to make unauthorized API calls on behalf of the key’s owner, potentially leading to unauthorized actions or data breaches.
5. Cross-Site Request Forgery (CSRF): CSRF attacks involve tricking a user into making unintended, unauthorized API requests through their authenticated session. This can lead to actions being taken on the user’s behalf without their consent.
6. Injection Attacks: Attackers may attempt to inject malicious code or payloads into API requests to exploit vulnerabilities in the platform’s API handling code. For example, SQL injection or code injection attacks can be used to access or manipulate data.
7. Denial of Service: Attackers may flood an NFT platform’s API with a high volume of requests, overwhelming the infrastructure and causing service disruptions for legitimate users.

Remediation

Remediating API exploits in NFTs is crucial to maintaining the security and integrity of NFT platforms and services. Here are some remediation steps and best practices to address and prevent API exploits:

1. Regular Security Audits: Conduct regular security audits and code reviews of your NFT platform’s API to identify vulnerabilities and weaknesses.
2. Threat Modelling: Construct a structured approach to identifying, assessing, and mitigating potential security threats and vulnerabilities that could impact the integrity, availability, and confidentiality of data and assets related to NFTs.
3. Authentication and Authorization: Implement strong authentication mechanisms for API access, such as API keys, OAuth, or JWT (JSON Web Tokens). Enforce proper authorization checks to ensure that only authorized users and applications can access sensitive API endpoints.
4. Rate Limiting and Throttling: Implement rate limiting and request throttling to prevent abuse of your API. This helps protect against DDoS attacks and brute force attempts.
5. Input Validation and Sanitization: Validate and sanitize all input data received via API requests to prevent injection attacks, such as SQL injection or script injection.
6. Cross-Origin Resource Sharing (CORS): Implement proper CORS policies to control which domains can access your API. Restrict unnecessary cross-origin requests.
7. Data Encryption: Use encryption (e.g., HTTPS/TLS) to protect data transmitted between clients and your API to prevent eavesdropping.
8. Monitoring and Logging: Implement comprehensive logging and monitoring for your API. Monitor for unusual or suspicious activity and set up alerts for potential security incidents.
9. Patch and Update Dependencies: Keep all software dependencies, including third-party libraries and frameworks, up to date with security patches.
10. API Versioning: Implement versioning for your API to ensure backward compatibility while allowing for security improvements in newer versions.

Case Study: An OpenSea Bug that Allowed Attackers to Get Massive Discounts on Popular NFTs

The bug, which was discovered as early as Dec. 31, 2021, allowed attackers to buy NFTs at older, lower prices and sell them for a hefty profit.

One attacker, called jpegdegenlove, paid a total of $133,000 for seven NFTs – before quickly selling them on for $934,000 in ether.

Five hours later, this ether was sent through Tornado Cash, a ‘mixing’ service that is used to prevent blockchain tracing of funds.

The Attack

The bug appeared to have been present for weeks and seemed to have been referenced in at least one tweet from January 1st, 2022. However, exploitation of the bug picked up significantly late, around January end 2022. In a 12-hour stretch before the morning of January 24th, it was exploited at least eight times to “steal” NFTs with a market value of over $1 million.

One of the NFTs, Bored Ape Yacht Club #9991, was purchased using the exploit technique for 0.77 ETH ($1,760) and quickly resold for 84.2 ETH ($192,400), netting the attacker a profit of more than $190,000. An Ethereum address linked to the reseller had received more than 400 ETH ($904,000) in payouts from OpenSea in the same 12-hour period.

The Bug

The bug arises from a discrepancy between the data within NFT smart contracts and the information displayed on OpenSea’s user interface. In essence, attackers exploit outdated contracts existing on the blockchain, which are no longer visible in the OpenSea application’s interface.

OpenSea users sell NFTs by setting a “list price” for potential buyers to see. Due to the nature of smart contracts, if a buyer accepts that list price, the NFT is automatically transferred to them.

If an owner wants to re-list an NFT for a higher sale price, the proper way to do this is to cancel the first listing, which costs a “gas fee” that might be in the tens or even hundreds of dollars, so some users had skirted around this by transferring the NFT to another wallet, then back to the original wallet.

While this technique apparently removed the listing from the information in OpenSea’s front-end display, the original listing remained active on the blockchain and could allegedly be found through the OpenSea API.

The Aftermath

Bored Ape Yacht Club, Mutant Ape Yacht Club, CyberKongz and Cool Cats NFTs had been affected. One collector, who saw their BAYC sell for 0.77 ether, went on Twitter to express his shock when he realized his NFT had disappeared.