Why the Hack of Nifty Gateway Raises Far-Reaching Questions About the Entire NFT Market
This week, a reminder that accessibility and vulnerability go hand in hand…
ATTACK THE BLOCK
Last weekend, multiple users of popular NFT marketplace Nifty Gateway took to Twitter to sound the alarm that their accounts had been hacked, leading to hundreds of thousands of dollars in stolen tokens and/or tens of thousands of dollars in fraudulent purchases. The aftermath of the breach clarified the intrinsic tension between rapidly expanding crypto-art’s audience and undermining its chief innovation.
As captured by the Verge and crypto-media outlet Coindesk, at least three Nifty Gateway users tweeted pleas for help from the platform between Saturday and early Monday morning. The largest publicly disclosed loss came from a user with the Twitter handle Keyboard Monkey, who alleged that the digital mugger(s) had pilfered more than $150,000 in NFTs from their account, as well as charging “like $20K worth of art” using the credit card on file there.
Another user, Michael Miraflor, claimed that his payment details had been used to buy over $10,000 in new NFTs just before his entire holdings were transferred to two mysterious accounts. One of those accounts, he alleged in a later tweet, included “100s of NFTs, which might be housing other people’s stolen property”; the other, he claimed, was “stealing and selling on the secondary market so the account looks empty.”
Last Monday morning, however, Nifty Gateway released a statement saying its initial investigation had found “no evidence” the platform itself was breached. Instead, it appeared that “a small number of users” had been “impacted by an account takeover” executed by cracking or otherwise acquiring their individual passwords. The platform also pointedly noted that none of the victims were using two-factor authentication (you know, that cybersecurity option where logging in also requires you to verify a unique one-time code sent to your phone or email), making the hackers’ path to pillaging that much easier.
Nifty Gateway did not reply to an email I sent on Thursday requesting additional information on the breach and its fallout. It appears that several of the compromised users managed to recover some of their losses. Still, even these ostensibly happy endings come stapled with major questions about the ultimate fate of the NFT market, for digital art as well as all other crypto-collectibles.
SPLIT DECISION
By last Monday night, Nifty Gateway was back in select victims’ good graces. Keyboard Monkey tweeted that the platform “completely restored 100 percent of the stolen art” to his account. Another user with the handle Lt. Crandog (who went public about being breached two days earlier) reported the same regarding all but one of his pilfered tokens.
But not every victim received satisfaction. Around the same time the buyers above were praising the platform’s responsiveness, Michael Miraflor passed along via Twitter that Nifty Gateway had concluded “it would be ‘unfair’” to reclaim his stolen NFTs from the user who (perhaps unwittingly) bought them from a cyberthief outside of the platform. This communiqué confirmed the understanding he voiced in an earlier tweet, in which he said there was “nothing [he] could do” to right the wrong based on the platform’s terms of service.
Why did these Nifty Gateway users experience such different endings to their seemingly identical dramas? The answer points to an inherent friction in the market for NFTs, especially as they jockey for wider adoption.
To some crypto-purists, NFT marketplace platforms like Nifty Gateway represent something of a paradox about blockchain, the technology underlying non-fungible tokens. The platforms promote blockchain-based collectibles by complicating, if not outright betraying, the philosophical bedrock of blockchains.
Whether we’re talking about crypto-art, cryptocurrencies, or crypto-anything else, the greatest theoretical strength of blockchain arguably doubles as its most dangerous practical weakness: decentralization, AKA the removal of the powerful middlemen who normally wield authority over commercial, societal, and cultural exchanges.
Strictly speaking, you don’t need platforms to buy and sell NFTs. You could even argue that, as online middlemen, these platforms undermine the direct peer-to-peer relationships that NFTs (and other blockchain-centric transactions) were engineered to champion.
But here’s the thing: for the average person in 2021, crypto is still super-complicated to comprehend, let alone actually use, and these platforms make it so much easier to engage with.
It’s just that this ease of use comes with a price—one that sometimes isn’t fully apparent until life on the blockchain goes sideways. This can happen in multiple ways. Based on what we know at this point, though, the Achilles heel in the Nifty Gateway hack appears to have been another technical detail of the NFT trade whose nuances have largely been trampled in the market stampede: the crypto wallet.
PICKING POCKETS
I could spend 2,000 words just unpacking the ins and outs of crypto wallets. Saying they are not the world’s most intuitive concept would be an understatement roughly on par with saying that attempting to become a teenage chess grandmaster is suboptimal for a child’s long-term social development. To understand the role of crypto-wallets in the Nifty Gateway hack, however, we can get away with discussing just three main points.
First, anyone who wants to buy and sell crypto-assets (including NFTs) needs a crypto wallet. Broadly speaking, the wallet is a digital repository for the data that controls the owner’s crypto-assets, just like a physical wallet is a repository for cash and credit cards.
Second, every crypto-wallet comes equipped with what are known as a public key and a private key. Each key is a unique alphanumeric code. Functionally, what differentiates them is the permissions they grant.
The most common analog for the public key is a bank account number (and routing number, if you want to be super technical). Circulating the public key allows you and a counterparty to exchange assets. But crucially, it does not allow the counterparty to access the rest of what lives inside that account. For a traditional art market reference point, think about a dealer’s invoice to a collector for a new work: the bank details enable the collector to pay, but not to infiltrate and fraudulently empty the dealer’s account.
In this comparison, then, a private key is like the password and PIN number to the same bank account; anyone who has it enjoys free reign over the assets inside, whether they are the rightful owner of the account or a straight-up criminal.
This leads us to the third point: every account on Nifty Gateway comes equipped with its own crypto wallet. Buy an NFT in the marketplace, and the corresponding data automatically appears in your platform-hosted repository. As the provider of this wallet, Nifty Gateway also has a record of the private key controlling access to everything inside it.
Without this service, every user would have to set up an external crypto wallet somewhere else—a process that would raise all kinds of brain-scrambling questions for the less technology adept.
For instance, do you want to self-host a wallet or sign up for one hosted by another platform? If you self-host, do you want a cold wallet or a hot wallet? How do you go about connecting your externally hosted wallet to the Nifty Gateway marketplace? Most important of all, are you sure you can keep the private key to your wallet safe, or do you run the risk of losing it outright, perhaps inadvertently locking yourself out of millions of dollars in crypto-assets forever?
Nifty Gateway and other NFT platforms prevent users from having to muddle through these quandaries, which makes buying and selling crypto-collectibles inordinately friendlier. But all of these friendly services are centralizing functions—and as last weekend’s hack suggests, what makes them valuable is also what gives them the capacity to backfire on both a practical and philosophical level.
POINTING THE FINGER
Because the breached users’ NFTs were all stored in their Nifty Gateway-hosted crypto wallets, all the cyberthieves needed to gain access to them was the same type of username and password combination we all have on a million different e-commerce sites across the web. Not only was a separate private key unnecessary; not even two-factor authentication was there to slow them down, as Nifty Gateway’s statement about the hack made sure to point out.
But if the digital ski-mask crowd broke into all the affected accounts the same way, why were only some of them able to get back their stolen NFTs?
Although we can’t say for sure without corroboration from Nifty Gateway, Benjamin Powers at Coindesk surmised (rightly, I think) that the deciding factor in whether or not the platform could claw back the pilfered tokens hinged on the hackers’ getaway plans.
If the assailants themselves had only gone so far as to transfer the looted NFTs to other Nifty Gateway accounts (and possibly tried to offload them within the platform), then the NFTs were still inside crypto wallets hosted by the platform. This would have meant Nifty Gateway still held the private keys to those wallets, in theory enabling staff to retrieve what had been taken and return it to the victimized previous owners.
However, it sounds like there were select cases where the hackers moved the heisted tokens to external crypto wallets. Since Nifty Gateway would not have the private key to a wallet hosted outside of its own platform, it would be powerless to unlock the receiving wallet and reverse the transfers.
Nor is there any greater blockchain watchdog Nifty Gateway could appeal to for justice on its users’ behalf. Remember, decentralization is the point of crypto! Powers captures this dissonance well here:
For people (and let’s be honest, that’s most of us) who are raised in a world of centralized bodies and authorities, it’s hard to envision a situation where someone can make off with your digital art from an online museum, and then display it or sell it as if they themselves legitimately own it.
In crypto, however, possession is 10/10ths of the law.
Miraflor’s situation is especially reflective of this tension. Since he alleged his stolen NFTs were transferred externally, then flipped through private transactions on the chat app Discord, they were beyond Nifty Gateway’s reach. Yet he reported that American Express had reversed the more than $10,000 in fraudulent NFT purchases made using the card on file in his commandeered account.
Ironically, this becomes a perfect example of why civilization created central authorities in the first place: when something goes wrong, most of us like knowing that someone has the power to set it right.
MIraflor also announced last weekend that he was on his way to make a police report about the theft, as well as to file a claim with the insurance carrier responsible for his physical collection. It’s unclear whether either of these other central authorities has the slightest ability or inclination to address a perceived wrong on the blockchain—not just in Miraflor’s case, but in a vast array of others linked to concepts like larceny, copyright, insider trading, and more.
Concerns about these same issues continue to tamp down participation in the legacy art trade despite the fact that established backstops and referees theoretically exist. What does it mean for the medium and long-term future of NFTs that the crypto ecosystem places an even greater burden on the individual to protect themselves by design? How much will blockchain entrepreneurs be willing to subvert the technology’s “trustless,” decentralized ethos if they fear it could prevent wide and lasting adoption?
In this sense, it’s notable that some crypto-purists have already questioned whether Nifty Gateway violated foundational crypto thinking by intervening as it did last weekend. The same can be said for other potential solutions mentioned by Powers, including coding NFTs with “kill switches” that could disrupt fraudulent transfers, or creating blacklists that could drive down the value of NFTs reported as stolen.
By resurrecting exactly the type of oversight capabilities blockchain was created to transcend, each of these options points to what may be my only certainty about this runaway train: the ultimate trajectory of the NFT trade will be determined by the same collision between profit potential and abstract principles that has defined the path of the traditional art market, Big Tech, and perhaps every other economic sector in human history. Buckle up.
That’s all for this week. ‘Til next time, remember: under enough pressure, every chain can eventually be broken.