In February 2022, OpenSea fell prey to a major phishing attack that resulted in over $1.7 million in nonfungible tokens (NFTs) being stolen from users. It wasn’t the only incident: Blockchain users reportedly lost $3.9 billion to fraudulent activity in 2022 alone.
As we entered 2023, there was a chorus of promises to increase security within the crypto space. But, so far, things haven’t significantly changed. Companies that utilize blockchain still aren’t doing enough to prevent scams.
If blockchain technology is going to see mass adoption, companies will have to change their approach from the bottom up. By focusing on education and implementing better processes to identify malicious activity, these platforms can better serve their customers as the space continues to grow.
Blockchain platforms need to learn how to identify malicious activity
In the case of the OpenSea hack, victims were asked to sign an incomplete contract, seemingly at the platform’s request. While OpenSea’s core infrastructure was not hacked, the fake accounts were able to take advantage of the open-source Wyvern Protocol. Hackers were then able to use the owner’s signature to be transferred to a false contract that gave them ownership without having to pay for the NFTs.
Related: 10 predictions for crypto in 2023
OpenSea recently reversed some of its previous policies after it was reported that 80% of NFTs minted for free on the platform were plagiarized or spam. OpenSea also relies on trust in the developers that use its API, which is not a foolproof way to assess risk. These developers could use the API for malicious purposes to take advantage of users signing contracts they don’t read.
Smart contracts are an integral part of the blockchain engine and can be found everywhere, from NFT exchanges to veritable decentralized applications. Understanding how these contracts function is imperative to keeping users secure. Rather than reinventing the wheel, companies can implement standard protocols to ensure smart contracts are resilient and protected from malicious activity. From there, companies can take advantage of the blockchain’s flexible nature and customize their contract, like setting up multisignature wallets and regular unit testing.
Beware of the spammy airdrop
If you look for the popular Mutant Hounds collection featured on OpenSea’s top collections, there is no indication of which collection is legitimate. Lack of verification can lead to counterfeit collections being formed, artificially increasing the price to make it appear legitimate and confusing to users. Fake collections are often distributed through airdrops, intended to be found through an NFT platform’s search functionality.
Related: What Paul Krugman gets wrong about crypto
Spammy collections can also send users NFTs they did not ask for via airdrops. Users will be redirected not through the platform where they hold a collection, such as OpenSea, but via a different site, where the scam occurs.
This is a commonplace risk that can be addressed by platforms monitoring such activity, either through a crowdsourced database that tracks fraudulent accounts or an administrative tool that knows what to look for and is constantly aware of updated scams. In addition, NFT platforms can require bids to be in the same currency as the listing to avoid confusion. Many users have been scammed by accepting an offer in a less valuable currency than the one in which they listed the NFT for sale. Blockchain platforms can rely on data to expose their outliers by flagging suspicious activity based on irregular activity among a small number of holders.
Of course, it must be noted that companies like OpenSea are in the challenging position of having to police fraudulent accounts that mint on their platform. In many cases, it boils down to a need for more verification of the official collection.
Onboarding is an integral part of the business plan
Onboarding should be a core part of the blockchain experience for veteran and novice users. Like smart contracts, establishing clear user guidelines and highlighting potential risks should be considered one of the fundamental best practices for ensuring user safety. These guides should be regularly reviewed, taking into account risk assessment, and adjusted accordingly as blockchain matures.
Among experienced users, the initialism “DYOR” is commonplace among users on the blockchain. As an abbreviation of “do your own research,” this expression has become an unspoken rule for those interacting with potential investment opportunities. Yet, it can be challenging for newcomers to know precisely where to start. There is a chorus of discordant information from influencers within the space who are often pushing the next big thing and driving risky investments, resulting in users falling victim to scams or loss of assets. Guidelines and educational materials should be readily available, curated to each platform’s value system and unique risks.
Why best practices should be a priority for all blockchain platforms
As the blockchain community currently works through its growing pains, companies should take the hard lessons learned via major exploits like the ones on OpenSea and refine their security protocols to ensure that doesn’t happen again. Learning the ins and outs of basic technology, from smart contracts to how to protect one’s seed phrase, should be the starting point. From there, learn how to implement and maintain best practices, such as identifying malicious activity and those wreaking havoc. Perhaps all it would have taken to prevent some of the most recent large-scale hacks was simply for someone to notice that something seemed off.
Michael R. Pierce is the co-founder and CEO of NotCommon. He received both his BBA and MBA from The University of Texas at Austin.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
GIPHY App Key not set. Please check settings