Non-Fungible Tokens, or NFTs, have become a significant part of the digital world, enabling individuals to prove ownership of unique digital assets, such as art, music, and virtual real estate. Thanks to blockchain technology, these digital assets can be bought, sold, and traded securely—or so it was thought. As the NFT market exploded in value, reaching $69 billion, it also attracted hackers and scammers seeking to exploit vulnerabilities in the system. A new study has now delivered the first large-scale review of NFT security, documenting 176 real-world incidents and organising them into 12 types of threats. The findings not only highlight serious risks but also suggest ways to make digital ownership safer and more reliable.
NFTs have revolutionised the way we think about owning digital assets online. From buying digital paintings to collecting rare in-game items, NFTs are now a key part of the Web3 economy. However, their rapid rise has created a gap between innovation and security. Many users are unaware of the dangers they face, including fake projects, scam websites, and hidden bugs in smart contracts. As more money flows into NFTs, the cost of being caught in a scam or attack has grown. There’s an urgent need to understand where the risks lie and how to defend against them.
Published on June 25, 2025, in Blockchain: Research and Applications, the new study comes from researchers at Huazhong University of Science and Technology and Peking University. It’s the first systematisation of knowledge—or SoK—focusing entirely on NFT security. The researchers examined 248 security reports and 35 academic papers, enabling them to study and classify 176 distinct NFT-related attacks and failures. Their work produced a detailed framework that identifies common weaknesses, explains why they’re hard to detect, and offers guidance for fixing them.
The team built a three-layer model to organise NFT threats: the contract layer (where smart contracts run), the market layer (where buying and selling happen), and the auxiliary service layer (which includes websites and tools that support NFT use). Within these layers, they found 12 major types of threats. Some issues originated from bugs in smart contracts, such as reentrancy flaws or inadequate access controls. Others involved shady marketplace behaviour, such as wash trading or “rug pulls”—where a project vanishes with investors’ money. There were also attacks on the supporting tools, such as phishing websites or fake interfaces meant to trick users.
To help combat these problems, the researchers developed several tools. One helps trace transactions to detect reentrancy attacks, while the other uses symbolic execution to identify logic flaws in minting functions. These tools are already helping to spot vulnerabilities before they can be exploited. However, the study also highlights that some of the most common attacks—such as phishing and fake websites—are still being overlooked by academic researchers. By publishing their dataset and security model openly, the team hopes to encourage further study and improvements in both research and industry practices.
Dr. Haoyu Wang, a senior author of the study, said that even though NFTs have proliferated, most people still don’t fully understand where they’re vulnerable. He views this work as a crucial starting point to bridge that gap. The study offers developers the means to build safer platforms, helps collectors recognise warning signs of scams, and urges cooperation between cybersecurity experts and blockchain builders. As NFTs expand into finance, gaming, and online identity, this research represents a significant step in securing their future and establishing trust in digital ownership.
More information: Kai Ma et al, SoK: On the security of non-fungible tokens, Blockchain: Research and Applications. DOI: 10.1016/j.bcra.2024.100268
Journal information: Blockchain: Research and Applications Provided by Zhejiang University