The fight against bots & bad actors
In the world of cybersecurity, the last thing you want is to have a target on your back. But every single large-scale concert ticket sale, sneaker drop, NFT drop or anything else that rewards buyers for getting in early has this sort of target on their back.
This essentially means that the whole topic of cybersecurity and bot protection has become an arms race. There is no one-size-fits-all solution. The security measures must evolve with the sophistication of the exploits.
How do you exploit an NFT drop?
In an NFT drop, there are many different attack vectors. But the basic idea is often the same: When there are strongly anticipated NFT drops, there is a good chance of the secondary market price being higher than the initial drop price. In this case, you can benefit by getting as many NFTs as possible from the Mint, essentially removing the chances to mint these NFTs from others.
This also means that every project owner has a high incentive to keep bots at bay to satisfy the actual community that is excited about the project launch.
On Cardano, we've seen various exploits, from simple scripts that send a lot of transactions to pay-in address style NFT drops that were popular in the past to more sophisticated captcha-solvers or even paid click-farms where a group of actual humans spams transactions.
Let's first talk about what a "bot" actually is: A bot is essentially just a computer script that emulates the behaviour of a human and goes through the same steps a lot faster.
Bots are nothing new originating in the crypto space, in fact, the whole botting situation is very similar to other hyped product releases like Sneaker Drops , Concert Ticket Sales, Hardware Launches and other big launches that have been fighting against more and more sophisticated bots for years.
In 2021 the NY Times even reported that "These days, bots are increasingly sophisticated, but so are the defences retailers are implementing to combat them in this high-tech arms race." and wrote an entire article about the "bot wars".
So in the NFT space, we're not the only ones affected by increased bot activity. Everywhere where there is money to be made, bad actors appear and try to find ways to gain an advantage over other users.
There's much to learn from the experience of other providers in the sneaker space, ticketing space or simply big online-shopping providers like Shopify that have been battling bot attacks for years and years. But the main takeaway is that there is no one-size-fits-all solution. There will always be attack vectors, and we must always think about the balance between good user experience and security.
Even enormous companies like Shopify are struggling with this topic.
NMKRs security measures
At NMKR, we've experienced our fair share of exploits and attacks. Since the launch of NMKR Studio, bad actors have tried to find ways around the system.
Back in 2021, when we first introduced the Pay-In addresses, it was pretty easy to write scripts/bots that could send out many transactions to this address in a matter of seconds. There was no anti-bot security whatsoever.
Because of this, we were constantly advocating for using our NMKR Studio API, where there was more flexibility in anti-bot measures. The reason is that the developers integrating the API had the anti-bot measures in their own hands and could implement different levels of security to their liking.
And we've seen notable launches result from that. Some launches used a mechanism where buyers had first to connect their Discord Account to a website, and only then would an NFT be reserved and a unique payment address generated. Or launches like Turf, where the team developed a full own Payment Checkout process integration, an easy Login and KYC system that appears before you can purchase the NFT.
But while we saw these fantastic NMKR Studio API integrations, we also realised that this is not very accessible for non-coders. At NMKR, we always strive for accessibility and onboarding of both new customers and new artists & businesses.
Because of this, we started developing NMKR Pay, our easy-to-integrate payment solution.
In NMKR Pay, we have integrated various wallets, a FIAT payment solution and the option to send payments manually using wallets that do not support a dApp connection like Daedalus and Yoroi Mobile.
The goal of NMKR Pay is to make it as accessible to Non-Crypto users that want to get into the NFT scene as possible. And we believe the overall user experience in NMKR Pay is a testament to this.
Because of NMKR Pays' success, it has also become an attractive target for bad actors who want to cheat the system. NMKR Pay is very accessible; thus, exploiters can experiment with it for a long time and find ways to gain an advantage over others.
We have been upgrading our cyber security and anti-bot measures step by step in anticipation of this and are continuously doing so. First, we added a very high-level firewall to block most illegitimate requests and protect ourselves from DDOS attacks.
On top of that, we engineered NMKR Pay so that it can not easily go down even if millions of requests are being thrown at the page simultaneously. We do so by heavily caching the content and using AWS automatic scaling solutions.
We then added a layer of security by integrating Crowdhandler into our system, an industry-grade queueing system used by a variety of large clients to protect their websites from an overflow of users at the moment of a product launch.
Previous exploits & exploit attempts
The harsh reality is that sophisticated bot systems or click-farms can still overcome all these measures. This is a universal truth not only for NMKR but basically for almost all NFT minting solutions on all blockchains.
The most recent significant bot attack we've seen was with one of the recent Book.io sales. At its peak, we recorded over 1 million website requests simultaneously, most coming from IP addresses in Russia. This does not necessarily mean that the bad actors were actually from Russia; it could also just mean that Russian servers were used.
The good news is that NMKR Pay and the NMKR Studio API did not go down even with all this traffic coming in simultaneously.
Our system rejected over 400 000 Captcha Requests, which means that the absolute majority of automated attempts to reserve an NFT did indeed fail. But the sheer amount of captcha requests clearly shows that captcha-solver tools were used that either use AI or click farms to solve a lot of captchas quickly and allow attackers to reserve NFTs without actually solving the captcha themselves.
The bad news, on the other side, is that we found that two specific addresses were able to purchase a considerable amount of NFTs:
So from the 875 NFTs sold in the mint, around 100 were confirmed Bot purchases.
In our research to learn more about the attackers, we found one particular entity targeting Cardano NFT sales, sneaker drops and NFT sales on other chains.
This entity is called "Octopus Cook", a closed group that accepts a fee from its users and then provides them with a mix of botting tools & access to click-farms. They have been successfully exploiting many Cardano drops, unfortunately not only NMKR drops. They sometimes even post about successful exploits on their Twitter account.
We are confident that other bad actors are targeting NFT drops on Cardano on top of that and heard multiple reports from a single bad actor heavily targeting NMKR drops but we were unable to identify them.
What can you do against exploits right now?
We take this very seriously, so we will introduce more security features and heavily promote the use of our existing anti-exploit tools. Let's take a look at what you can already use in NMKR Studio to make it harder for bad actors to exploit your NFT drops:
1. In the Integration Tab in NMKR Studio, you can now disable the "Send Manually" option in NMKR Pay.
We implemented this feature to allow for more flexibility, and because we saw that in the recent Book.io sales, the "Send Manually" functionality was the main target for bad actors. This, combined with enabling "Multi-Sig" payments, makes it slightly harder for bad actors to spam transactions to NMKR Studio.
While this is not a perfect solution against exploits because multi-sig can be automated easily, it is still making it slightly more complicated for bad actors.
2. On top of that, you can define a "Start Date" for NMKR Pay, meaning that even if the link to NMKR Pay gets leaked, users won't be able to mint any NFTs prematurely.
3. Another measure available in NMKR Studio is the "Buyer must have less than x amount of NFTs from a specific Policy ID." where sellers can specify the policy ID of the current project and at least force exploiters to use multiple different addresses.
4. We can set up custom queues for particularly big launches. These queues can currently only be set up by the NMKR team and not by the projects themselves, so if you want to have a queue specific to your drop, feel free to message us directly.
5. Another option available to users of NMKR Studio is to generate unique links for each NFT and then distribute those links, which are only available once to users who, e.g. registered for a sale beforehand via Discord, Email, etc.
We also increased the rate limit per IP address, making it more difficult for attackers to bot using the same IP address, forcing them to build more complex systems and have added a few more security measures behind the scenes that we can not disclose in an article like this to not give away too much information for potential bad actors.
But even with all these measures, attack vectors will still exist, and bots can still exploit mints if they're sophisticated enough. To our knowledge, there is currently no system on Cardano that is 100% secure against bots. As mentioned before, it is an arms race.
Because of this, we are working on multiple other improvements, the two major ones being:
1. We will be introducing more complex sale conditions specifying, e.g. how active an address has been in the past, to prevent burner addresses and require a certain level of activity before being able to participate in a drop.
2. Another big feature on our roadmap is the introduction of the NMKR Account system integrated inNMKR Pay that'll allow project creators in NMKR Studio to set it as a requirement that purchasers have to be logged into the account, have their Social Accounts connected to it, or have done KYC before being able to participate in the drop.
We believe that solid KYC is the only way for drops to guarantee a low percentage of exploits. But because we also know that the crypto space is not very appreciative of KYC as a whole, this will be completely optional and can be enabled or disabled by project owners.
Bot-Security is an arms race. The exploits will become more sophisticated, as well as the defence mechanisms. NMKR Studio offers a variety of tools to make public NFT launches fairer, and we will continue adding more features behind the scenes and more options for the users to prevent exploits.
That being said, the only true way to prevent most exploits is through a sophisticated KYC process. We will integrate this optionally by expanding the NMKR Account system to NMKR Pay. By doing so, we'll be giving a reliable tool to the project owners' hands so that they have more flexibility in choosing their defence mechanisms against bots, click farms and other exploits.
Thank you for reading!