From Vulnerapedia
Jump to navigation Jump to search

A Non-Fungible Token (NFT) is a type of digital asset that represents ownership or proof of authenticity of a unique item or piece of content using blockchain technology. Unlike cryptocurrencies such as Bitcoin or Ethereum, which are fungible and can be exchanged on a one-to-one basis, NFTs are non-fungible, meaning each token has distinct properties that make it irreplaceable and not interchangeable with other tokens. NFTs have gained attention for their ability to represent ownership of digital art, collectibles, virtual real estate, music, videos, and other digital creations. The use of NFTs enables creators and artists to monetize their digital works, and collectors to verify the rarity and provenance of the items they own. NFTs have also sparked discussions about the intersection of technology, ownership, and the value of digital assets.

Keep in mind when integrating an NFT token:

  • If the contract has .(safe)transferFrom, then in 99% of cases from parameter must be msg.sender. Otherwise hacker can take advantage of other user’s appovals and rob them!
  • If there is .transferFrom in the contract, users must not manage the from parameter. Otherwise hacker can take advantage of other user’s appovals and rob them! In 99% of cases from should be just msg.sender.
  • Remember that the OpenZeppelin implementation of ERC721 and ERC1155 vulnerable to reentrancy attacks, since safeTransferFrom functions perform an external call to the user address (onReceived)!
  • On-chain “random” (based on gas cost, block hash, and stuff like that) is unreliable, it can be bypassed (e.g., one can buy specific NFT). Consider using Сhainlink VRF or a custom solution based on something like!


It is an Ethereum standard that describes the most basic NFT contract[1]. There are different popular implementations of it:

  • The most popular is OpenZeppelin's[2]. It has several modifications and is probably the most safe to use, but it may not be optimized enough.
  • Solmate[3]
  • Solady[4]. A modification of the previous two. It heavily optimizes the code with assembly usage but contains several caveats that developers should know[5].
  • Azuki's ERC721A[6]. It allows the minting of several sequential NFTs with almost the same gas usage. The drawback is that the gas won't disappear; it will be paid if one of the NFTs is transferred (for example, on Opensea sale).