Learn how to protect your market from notorious hacks.
NFT, the term has been hyped for the last few years. Its wide range of use cases is unimaginable. It’s tempting to record your possessions on a usable scale in the game. The market for NFTs is similar.
The NFT Marketplace is a platform that facilitates and facilitates the transfer and exchange of ownership of NFTs and has NFT Marketplace Rules for buying and selling. This is where various NFTs are offered for sale, and various buying and bidding mechanisms enhance the seller’s experience. Buyers enjoy a superior experience enhanced by the security of smart contracts.
But think for a moment how important it has become for marketplaces to remain secure and protect themselves and their users from fraud and hacking. Imagine how much you would lose if your marketplace smart contracts were compromised. Even one vulnerability can cost millions of dollars. This is terrifying. Marketplaces must remain vigilant to ensure the security and safety of their users from the ever-evolving Web3 security threats. We at QuillAudit understand the need for time and offer some key tips to protect the NFT market. Let’s look at them one by one.
In this section, we’ll look at tips and nft marketplace checklists for keeping your marketplace safe in the ever-evolving wave of exploits.
1. Owner function only
These are features only Marketplace can access. Only the marketplace can do them, not other buyers or sellers of NFTs. These features are very useful for monitoring the smooth operation of the platform. However, if not implemented properly, it can cost the market.
For example, there should be no case where the commission parameter is set to 100 and the seller gets nothing and all sales go to the owner (marketplace). In this case, no users will trust the marketplace and the marketplace will not grow. You should properly check the input parameters of these functions.
2. Automated bots
Automated bots are programs that run on their own without much human intervention. These bots can influence NFT sales, inflate prices, and participate in limited NFT drops or launches. All of these are important and can have a significant impact on the market.
Bots can be mitigated, deterred, blocked, and lowered, but you must first identify them on the platform, which is nearly impossible. The best way to protect your platform from such attacks is to contact nft auditors and outsource this. Web3 security Companies like QuillAudits can help fix issues and advise how to proceed.
3. Paid features
Paid functions in your marketplace contract, such as the buy() function, should be thoroughly tested and checked. If you have a lot of IF conditions, that contract is vulnerable and you should never miss an important check in such scenarios. For example, a situation can arise where a function receives ether from a buyer, passes a function, but fails to perform some important operation and gets stuck in the contract. This is important to resolve with care.
4. Bidding Checks
Bidding is an important function of the marketplace for users. But this feature can lead to a lot of bugs if you don’t pay attention to it. Let’s see some important and necessary checks:-
- For obvious reasons, it is very important that when a new bid is made it is always higher than the previous one.
- Do you want to transfer the “bid token” (e.g. usdc) to the contract (i.e. address (this))? Double check your calculations.
- Once the NFT sale is over, how will the winners receive their NFTs? Now, the NFTs must use the contract itself (i.e. address (this)) so that it can be transferred to users. And please send the winning bid amount to NFT. Again, check your calculations here.
- Whenever a new bid is placed, the previous bidder must return the bid amount. Sometimes this important yet simple feature is missed or a calculation error occurs. So be sure to create a test case for this.
5. Some general checks
This section describes some of the common checks that developers should check for marketplace smart contracts. This may be common, but it’s not easy. Some of the nft smart contract vulnerabilities caused by these unchecked conditions can lead to big losses. we don’t want that. Let’s see them.
- Check if Oracle is used. Can you manipulate that oracle to give the wrong answer?
- The NFT platform does not allow NFTs to be relisted at a new price without canceling the previous listing.
- Only authorized users should be able to purchase NFTs by paying a fee. You should always consider double-checking your fee deduction calculations.
- Make sure all external calls are made from the Marketplace contract. If you have external calls to untrusted contracts on the chain, consider using Reentrancy Guard for protection.
- Check for possible front running. The person doing his running front of the transaction cannot leverage his logic to earn his NFTs for discounts or reduce fees.
- If the exchange’s spot price is used to determine some fees or purchase prices, see if you can manipulate it. Are you vulnerable to flash loan attacks? Don’t rely on the spot price of your exchange, use an oracle to determine your price.
- Make sure that NFT URIs cannot be changed once set, and that the metadata is stored in a decentralized file storage system rather than a centralized storage. This can be easily manipulated to avoid lag pull.
- Checks if the NFT is still listed for sale after the user has removed the NFT from sale on the marketplace. This bug was found in his one of the most popular NFT platforms, resulting in the owner losing his NFT.
- NFT marketplace logic should not rely on NFT approval for contract addresses. When creating a new sale, you should always use the transferFrom function from the seller to itself. As such, once the sale is complete, the NFT can be transferred directly to the purchaser without relying on the seller’s approval.
There are many NFTs worth millions of dollars. Imagine how much their value would decrease if NFT marketplaces were compromised. No marketplace wants that. As you can see, the marketplace platform is powered by user trust. Users need to feel protected and secure in order to get the most out of the platform.
The above checks are very important and help protect the market from attacks. Yet, as you know, security always demands more. Attacks against your valuable protocols are constantly evolving, and to stay safe from them, you should regularly audit your contracts. A team of experienced professionals will help protect your protocol and ensure complete safety. Check out our website and protect your Web3 projects!