Delving NFT vulnerabilities, a sleepminting prevention system

Abstract

The rise of Non-Fungible Tokens (NFTs) is beginning to revolutionize the digital world thanks to the unique property of these tokens. Indeed, they can represent the ownership of physical or digital assets. They are implemented using smart contracts, therefore if the code of the smart contract contains bugs, an attacker can exploit its vulnerabilities to perform an attack called sleepminting. Sleepminting consists of transferring NFTs owned by an address, without the owner’s consent. In this paper, we provide a detailed analysis of the sleepminting attack and, thanks to the insights gained, we propose a prevention system to reduce the number of sleepminting attacks. Our prevention system is based on analysing the transactions included in new blocks, detecting those that are related to sleepminting attacks and keeping track of the addresses that are involved in these transactions. A dictionary-like data structure can be used to keep track of the addresses involved, where the key is the address and the value acts as a counter for the number of times the address is involved in sleepminting. With this information, block-creating nodes can add another verification step before adding a transaction to a block, which consists of blocking transactions when the addresses involved appear in sleepminting attacks a number of times greater than a threshold. The evaluation shows that sleepminting is a relevant phenomenon, and now it involves NFT transfers rather than NFT minting. Our proposed prevention system is able to block up to 87% of attacks.