Sayfer identifies security vulnerability affecting 10% of all NFT projects

by James · July 25, 2022

Cyber security firm Sayfer has identified a new vulnerability affecting 10% of all NFT projects. The so-called BadReveal vulnerability attacks the minting process of non-fungible tokens, which are meant to be randomly generated. By exploiting the BadReveal flaw, an attacker could claim the best and most valuable NFTs at launch before reselling them for large profits on the secondary market.

Sayfer aims to prevent smart contract errors

With most NFT projects, tokens are minted blindly to ensure a fair distribution of NFTs, whose rarity traits can vary greatly. Within days of the mint’s completion, the “reveal” occurs where the metadata is made public and buyers can find out the properties of their NFT. If an attacker somehow manages to access the metadata before it is disclosed, they can use this information to capture valuable undisclosed NFTs.

While analyzing the code of leading NFT projects, Sayfer researchers found that many of them involve two different transactions in the disclosure process. The project owner first sets the unique metadata for the disclosure and then discloses the data to the public. In the time between these two transactions, which is usually hours or even days, a skilled attacker can scan all NFT metadata in the project and find the rarest tokens.

Sayfer found the vulnerability in dozens of projects whose codebases it assessed, and believes it is replicable in the thousands. The team has stated that since there is no way to automatically test for the presence of the BadReveal vulnerability, NFT projects should conduct a security audit before launch. This will give the community faith in the integrity of the minting process and ensure a fair distribution of NFTs to owners who will be passionately involved in the project.

Sayfer is a leading consultancy within cyber security. We make organizations safer with ad-hoc solutions that plug the gaps that regular security products don’t reach. Our customers enjoy fast, tailored solutions that prevent major security breaches. Sayfer specializes in offensive defense utilizing approaches that mimic the attacker’s behavior. Through reverse engineering and vulnerability research, we are able to find new security breaches in the customer’s products and prevent the real bad guys from threatening our customers.

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representations or warranties as to the timeliness, completeness or accuracy of information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not provide personal investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may be out of date, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update outdated, incomplete or inaccurate information.

You should never make an investment decision about an ICO, IEO or other investment based on the information on this website, and you should never interpret or otherwise rely on the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice about an ICO, IEO or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sale, securities or commodity.

See full terms and conditions.