Tips for Avoiding Music NFT Scams – Billboard

One evening in July, panic spread in a small corner of the Web3 music room. Mysteriously, $6.1 million worth of cryptocurrency began moving out of blockchain music service Audius’ company coffers to an unknown wallet. Audius was hacked.

The hacker discovered a bug that allowed them to take control of the Audius vault – the crypto equivalent of a shared bank account – and transfer the entire funds to their own crypto address. The bug had lived in the code for two years.

This looks set to be the worst year ever for crypto hacks, according to Chainalysis, with over 125 major hacks exceeding $3 billion in total, and on track to surpass $3.2 billion in 2021.

Meanwhile, phishing scams continue to drain NFT wallets at an alarming rate. “Everything is incredibly uncertain,” says Sam Williams, founder of blockchain storage platform Arweave and a self-proclaimed “hacker,” though he uses the term as a broad description for coders. “We’re in the hackers’ Wild West of Web3 right now.”

Since the popularity of NFTs and cryptocurrencies like Bitcoin took off in early 2021, things have only gotten worse, creating a honeypot for hackers. “There was a lot of fluff brought in during the hype cycle last year,” says Williams, “and that usually lowers safety standards for a period of time.” Teams scrambled to ship products live to capitalize on the flow of new money and paid too little attention to security.

For music companies or artists entering the space, the consequences of a hack can be huge. Audius took a $6 million financial hit, but it’s more than just money. Exploitation could also damage the trust of music fans and undermine the entire promise of Web3. Warner Music Group considered this dilemma when they launched the Stickmen Toys NFT collection earlier this year. “No matter how much time, how many resources or how good intentions go into a project, if there is a security breach, it can damage the project and the team’s reputation,” says Jillian Rothman, Warner’s Director of New Business and Enterprise, Business Development.

The stakes of hacking are higher in Web3 than in today’s internet because customers are at direct risk of losing their money. If there is a malicious link in a Discord server, dozens of community members can have NFTs or cryptocurrency stolen from their wallets. If there is an error in the code, users can get their money cryptographically locked without complaint. The community backlash from these security incidents can be severe and costly that Web3 teams often resort to reimbursing users out of pocket. So where are the biggest risks and what can music companies do to protect themselves and their artists?

Experts say the main vulnerabilities for the NFT space lie in smart contracts. These are programs written by developers on top of blockchains like Ethereum that hold funds and perform transactions – such as paying out royalties on secondary sales. “Smart contracts are just buggy and exploitable,” says Nic Carter — partner at Castle Island Ventures, a VC firm with multiple Web3 music investments. “Things are so new in the crypto space that developers are still learning the best practices for security.”

An NFT project, for example – Aku, by former MLB player Micah Johnson — got $34 million locked into a smart contract because of a small bug in the code. The money was never recovered.

One way to immediately reduce the risk is to operate with transparency. “It should be damn open source,” Williams says, so anyone can check and verify the code. “There’s no point trying to hide it. Better you find [bugs] early so you can fix them.” Blockchains like Ethereum are transparent by nature, so hackers will find exploits if companies go live with buggy code. Better to test it openly on so-called testnets before deploying it with real money and high stakes. While building publicly can take away an element of surprise when it comes to marketing, it’s a small price to pay for added security, plus smart contracts should be auditable by outside developers.

Then there is the risk of customers having their wallets hacked. “[Crypto wallets are] probably the No. 1 risk,” for newcomers, Carter says. “A bad wallet setup or a key management failure – that’s probably been responsible for the biggest loss of funds.” Companies can keep the community safe by highlighting the risks and educating music fans who enter the space.

Carter recommends that anyone who interacts with crypto use a hardware wallet — a USB device that disconnects from the computer and the Internet. And they should limit the funds on a “hot wallet”, such as Metamask, which can be easily compromised through malicious links. “The NFT space is really aggressively targeted by phishing,” he warns. “I think because it was mainstreamed so quickly … it meant a lot of people didn’t have a lot of experience with [wallet] management.” He also suggests using two-factor authentication on all crypto-related accounts and advises against clicking on unfamiliar links.

The team at Warner implemented this in practice by using a “security page” on the projects’ Discord servers. Users must read this page before entering. It explains best practices and alerts the community on how to spot fraud. “In an emerging space, bad actors prey on unsuspecting members of society,” says Sebastian Simone, Warner’s vp of audience and strategy. “It will take longer for Web3 to become mainstream if people have negative experiences.”

More importantly, however, failure of wallets and smart contracts does not imply a failure of the blockchain itself. “It’s extremely rare for the blockchain itself to be hacked,” Carter says. It is the code and applications on top of the blockchains that pose the biggest security threat.

Carter and Williams are both optimistic that these security concerns will diminish in the coming years through standardized contracts and simpler code, but the young industry is still learning the hard way. With each new exploit, developers learn where the vulnerabilities are and adopt safer practices for the future.

As Carter puts it, “Safety rules are written in blood.”

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *