Last year, the world woke up to NFTs: the first digital product standard that is platform agnostic. They represent the basic building blocks for brand new peer-to-peer economies, giving more freedom, portability and ownership over digital goods, and allowing developers to build powerful, interoperable applications that provide real economic value and utility to users across all blockchain-enabled platforms. They introduce a brand new, exciting surface area through which consumers, creators, developers, brands and communities can interact – and with that comes a responsibility for the platforms enabling it to keep consumers safe.
Today, consumers are expected to have significant knowledge and blockchain background in order to onboard and participate safely. Many platforms building on top of web3 are dis-intermediating themselves from the property, controls, and responsibilities expected of their users, and no one (including OpenSea) yet has all the right tools in place to help consumers navigate the complexities of NFT security independently.
We believe the security implications of web3 extend across platforms, and that the inevitable trend toward dis-intermediation comes with security implications and responsibilities for everyone involved. Simply put: more collaboration in this space is required to tackle security and safety challenges at the highest level, which is why we’re announcing the creation of a private NFT Security Group.
Originally announced at NFT.NYC, the NFT Security Group began modestly by gauging interest and inviting other companies in the space. We plan to extend invitations to others collaboratively. Current participation includes:
- Adobe
- Alchemy
- Arweave
- Bitski
- Blockade Games
- Coinbase
- Foundation
- Horizon Blockchain Games
- Immunefi
- Protocol Labs (IPFS)
- KnownOrigin
- Ledger
- MakersPlace
- Manifold
- MetaMask
- Nifty Gateway
- OpenSea
- Polygon
- Rarible
- Showtime
- SuperRare
- WalletConnect
- Zora
- 0x
Let’s discuss the purpose of the group, the kinds of issues that members will discuss, and how you can get involved.
Goals of the NFT Security Group
To start out, this group will be proactive, community-driven, close-hold – and most importantly, focused on cross-platform safety:
- Proactive: Members should expect to share and learn about vulnerability reports that have not yet been publicly announced, or that have yet to impact their respective user base. That way, they can focus on fixing impending problems before they happen, as opposed to just reflecting backwards.
- Community-driven: Members of this group should submit vulnerabilities and fix specs early, when they are reported and understood, and even before a fix is launched. We will help identify the clearest opportunities to be proactive and drive impact.
- Close-hold: This will be a private working group that maintains strict confidentiality principles. Members should expect confidentiality from others in the group, and membership is restricted to dedicated Security teams from each member project. This goal requires the group to be invite-only.
- Focused on cross-platform safety: Most importantly, this security council aims to safeguard users universally by spreading awareness and fixes to other companies and ecosystems in good faith.
Membership in this group requires an invitation from the committee, and a commitment to the shared goal of collective improvement to drive mainstream adoption. We seek to have impact through collaboration and accountability, and we understand that consumers will always have many options when choosing their NFT and web3 platforms. Vulnerabilities across specific platforms will persist and impact the industry, unless we can tackle them together.
Security Group Topics
From what we’ve seen to date, NFT security can be broken down into five main buckets:
- Blockchain consensus security: Is the chain secure at a foundational level? Are transactions forgeable? Are forks dangerous for consumers? How likely is a denial-of-service attack?
- Smart contract security: Are the programs that manage token ownership and metadata secure? Do they do what they claim and only what they claim? How much do they rely on a central wallet authority for administration?
- Wallet security: Are the extensions or libraries for interacting with wallets resistant to exploits? Are the user interfaces prone to phishing attacks or other forms of deception? Are the programs behind smart contract wallets secure?
- Metadata security: Are the images, animations, traits, and other metadata for an NFT safe to display to all users? Are they deceptive? Are they resistant to the potential compromise of any third party systems?
- Interoperability: This is a more future-oriented sector, since we haven’t seen much interoperability in the space but expect more to come. When one project incorporates another’s NFTs, are users aware of the implications? Are they able to grant consent to cross-project NFT actions, where appropriate?
For many of these sectors, proper user education and UX guidance will be critical. We still operate in a paradigm of company-owned digital goods, and most people do not understand that companies like OpenSea cannot move their items for them, or that another company can interact with their listings and items just like OpenSea can. We will need others’ help to push the new paradigm forward.
How you can get involved
To help members feel comfortable disclosing as many vulnerabilities as possible up front, membership in this group will be invite-only for now. Members will have the opportunity to vote on and collectively extend invitations to new members.
However, there are several ways that individual security contributors can assist:
- Participate in OpenSea’s public bug bounty program: We’ve just publicized our bug bounty program on Hackerone and our company blog. We have industry-leading rewards and have paid for over 25 reported issues.
- Participate in other bug bounty programs within the web3 community: there’s a great list of bounties maintained by Immunefi at https://immunefi.com/explore/ and another in the Hacken ecosystem at https://hackenproof.com/public-bug-bounty-list
- Participate in audit contests: these are typically more scoped and targeted than bug bounty programs, and can be exciting to work on as well. A great list of contests is available at https://code4rena.com/
- Work with an auditing firm: these firms help keep the community safe from accidental bugs and exploits in smart contracts. A list is being compiled here: https://www.defisafety.com/auditors
- Come join the OpenSea Security Team!
In the new year, we will also ramp up the security content we publish here on our blog. We are at the forefront of a new and more powerful web. We welcome the best minds in security to join us.