Abstract
Despite the ambitious vision of re-decentralizing the Web as we know it, the Web3 movement is facing many hurdles of centralization which seem insurmountable in the near future, and the security implications of centralization remain largely unexplored. Using non-fungible tokens (NFTs) as a case study, we conduct a systematic analysis of the threats posed by centralized entities in the current Web3 ecosystem. Our findings are concerning: almost every interaction between a user and a centralized entity can be exploited to hijack NFTs or cryptocurrencies from the user, through network attacks practical today. We show that many big players in the ecosystem are vulnerable to such attacks, placing large financial investments at risk. Our study is a starting point to study the pervasive centralization issues in the shifting Web3 landscape.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For example, the file chunk size that influences the calculation of CID.
- 2.
Note that a user in our model can retrieve an asset file’s identifier and authenticator (e.g., a CID or digital signature) from a secure decentralized infrastructure.
- 3.
In the case of OpenSea, a user maintains a logged-in status if it cryptographically signed a “login-in” challenge in the last 24h.
References
Official IPFS gateway. https://ipfs.io
OpenSea Bug Bounty Program. https://hackerone.com/opensea
Anders, L., Shrug: EIP-4907: Rental NFT, an Extension of EIP-721, March 2022. https://eips.ethereum.org/EIPS/eip-4907
Apostolaki, M., Zohar, A., Vanbever, L.: Hijacking Bitcoin: routing attacks on cryptocurrencies. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P) (2017)
Atzei, N., Bartoletti, M., Cimoli, T.: A survey of attacks on ethereum smart contracts SoK. In: Proceedings of the International Conference on Principles of Security and Trust (POST) (2017)
Birge-Lee, H., Sun, Y., Edmundson, A., Rexford, J., Mittal, P.: Bamboozling certificate authorities with BGP. In: Proceedings of the USENIX Security Symposium (2018)
Burks, Z., Morgan, J., Malone, B., Seibel, J.: EIP-2981: NFT Royalty Standard. https://eips.ethereum.org/EIPS/eip-2981, September 2020
Chatzigiannis, P., Baldimtsi, F., Chalkias, K.: SoK: blockchain light clients. In: Proceedings of the International Conference on Financial Cryptography and Data Security (FC) (2022)
Chuat, L., et al.: The Complete Guide to SCION. From Design Principles to Formal Verification, 1st edn. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-05288-0
Chung, T., et al.: A longitudinal, end-to-end view of the DNSSEC ecosystem. In: Proceedings of the USENIX Security Symposium (2017)
Cimpanu, C.: DNS hijacks at two cryptocurrency sites point the finger at GoDaddy, again. https://therecord.media/two-cryptocurrency-portals-are-experiencing-a-dns-hijack-at-the-same-time/. Accessed 01 Oct 2022
Cimpanu, C.: KlaySwap crypto users lose funds after BGP hijack. https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/. Accessed 01 Oct 2022
Dai, T., Jeitner, P., Shulman, H., Waidner, M.: From IP to transport and beyond: cross-layer attacks against applications. In: Proceedings of the ACM SIGCOMM Conference (2021)
Daian, P., et al.: Flash boys 2.0: frontrunning in decentralized exchanges, miner extractable value, and consensus instability. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P) (2020)
Das, D., Bose, P., Ruaro, N., Kruegel, C., Vigna, G.: Understanding security issues in the NFT ecosystem. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2022)
Duan, H., Fischer, R., Lou, J., Liu, S., Basin, D., Perrig, A.: Rhine: robust and high-performance internet naming with e2e authenticity. In: Proceedings of USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2023)
Entriken, W., Shirley, D., Evans, J., Sachs, N.: EIP-721: Non-Fungible Token Standard
Eyal, I., Sirer, E.G.: Majority is not enough: bitcoin mining is vulnerable. Commun. ACM 61(7), 95–102 (2018)
Gilad, Y., Cohen, A., Herzberg, A., Schapira, M., Shulman, H.: Are we there yet? On RPKI’s deployment and security. Cryptology ePrint Archive, Paper 2016/1010 (2016). https://eprint.iacr.org/2016/1010
Grimmelmann, J., Ji, Y., Kell, T.: EIP-5218: NFT rights management, July 2022. https://eips.ethereum.org/EIPS/eip-5218
Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on bitcoin’s peer-to-peer network. In: Proceedings of USENIX Security (2015)
Jiang, B., Liu, Y., Chan, W.K.: Contractfuzzer: fuzzing smart contracts for vulnerability detection. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE) (2018)
Johnston, D., et al.: The general theory of decentralized applications, DApps. Technical report (2014)
Li, K., Chen, J., Liu, X., Tang, Y.R., Wang, X.F., Luo, X.: As strong as its weakest link: how to break blockchain DApps at RPC Service. In: Proceedings of the Symposium on Network and Distributed Systems Security (NDSS) (2021)
Malwa, S.: Two Polygon, Fantom Front Ends Hit by DNS Attack. https://www.coindesk.com/tech/2022/07/01/two-polygon-fantom-front-ends-hit-by-dns-attack/. Accessed 01 Oct 2022
Marlinspike, M.: My first impressions of web3, January 2022. https://moxie.org/2022/01/07/web3-first-impressions.html. Accessed 01 Oct 2022
Permenev, A., Dimitrov, D., Tsankov, P., Drachsler-Cohen, D., Vechev, M.: VerX: safety verification of smart contracts. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P) (2020)
Schwarz-Schilling, C., Neu, J., Monnot, B., Asgaonkar, A., Tas, E.N., Tse, D.: Three attacks on proof-of-stake ethereum. In: Proceedings of the International Conference on Financial Cryptography and Data Security (FC) (2022)
Schwittmann, L., Wander, M., Weis, T.: Domain impersonation is feasible: a study of CA domain validation vulnerabilities. In: Proceedings of the IEEE European Symposium on Security and Privacy (EuroS &P) (2019)
Su, L., et al.: Evil under the sun: understanding and discovering attacks on ethereum decentralized applications. In: Proceedings of USENIX Security (2021)
Verified Market Research (VMR). Non-Fungible Tokens Market Size And Forecast. Technical report (2022)
Wang, D., Feng, H., Siwei, W., Zhou, Y., Lei, W., Yuan, X.: Penny wise and pound foolish: quantifying the risk of unlimited approval of ERC20 tokens on ethereum. In: Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID) (2022)
Wang, Z., Gao, J., Wei, X.: Do NFTs’ owners really possess their assets? A first look at the NFT-to-asset connection fragility. In: Proceedings of the ACM Web Conference (WWW) (2023)
Zhou, L., Qin, K., Torres, C.F., Le, D.V., Gervais, A.: High-frequency trading on decentralized on-chain exchanges. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P) (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Financial Cryptography Association
About this paper
Cite this paper
Stöger, F., Zhou, A., Duan, H., Perrig, A. (2024). Demystifying Web3 Centralization: The Case of Off-Chain NFT Hijacking. In: Baldimtsi, F., Cachin, C. (eds) Financial Cryptography and Data Security. FC 2023. Lecture Notes in Computer Science, vol 13951. Springer, Cham. https://doi.org/10.1007/978-3-031-47751-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-47751-5_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-47750-8
Online ISBN: 978-3-031-47751-5
eBook Packages: Computer ScienceComputer Science (R0)