NFTs and off-chain security
The public nature of blockchain technology means that while every address within a network is pseudonymous, a record of every transaction each address has ever conducted can be easily accessible.
Blockchains like Ethereum and BNB Chain maintain public, accurate records of every transaction conducted, which means that anyone can easily find someone’s transaction history. What keeps users’ privacy is that addresses are long alphanumeric strings with no ties to their identities. This pseudonymity can be easily broken once their identity is linked to their blockchain address.
It can happen voluntarily. For example, when registering with cryptocurrency exchanges, users have to go through know-your-customer (KYC) and anti-money laundering (AML) checks before accessing trading on the platform. Once they deposit funds, their address is linked to their identity, although only the exchange is aware of the link.
It can also happen involuntarily when users accidentally leak some of their information and blockchain sleuths connect the dots. By nature, non-fungible tokens (NFTs) are fundamentally unique and identifiable, which means that if someone is linked to having an NFT, their wallet address and identity may be exposed.
Leaking identifiable information through NFTs
A great example of leaking information accidentally comes from Jimmy Fallon. When American actor and comedian Jimmy Fallon showed off his Bored Ape NFT on national television, he unknowingly revealed his own Ethereum wallet address. However, not every NFT user is a celebrity, but most use social media platforms that support NFTs, such as Twitter.
While having a wallet address exposed isn’t a significant concern in many cases, it may be once NFTs start being used for more sensitive issues such as homeownership or medical records.
As it’s possible to send NFTs to any address on the blockchain, attack vectors open up. Earlier this year, the founder of OMNIA Protocol, Alex Lupascu, exposed a privacy vulnerability in the cryptocurrency space that could have affected over 21 million people — all MetaMask’s users.
The vulnerability allowed an attacker to get a target’s IP address by transferring free ownership of that NFT to it. The hacker could spend as little as $50 to mint and send the NFT in a bid to leak someone’s IP address.
As Lupascu, later on, put it, malicious actors can then use the IP address to create physical threats, which taking into account that they know the person’s addresses and wealth, can involve extortion, theft, and kidnapping.
Lupascu’s research made numerous headlines, including from leading industry publications like Yahoo Finance and Cointelegraph, and forced MetaMask, a product owned by ConsenSys, to act to protect its users.
Maintaining off-chain privacy
As we have previously seen, there are differences between off-chain and on-chain privacy. To maintain privacy, users often turn to mixers and other methods, which work to a certain degree for on-chain privacy. Off-chain privacy is often dismissed.
Whenever we issue a transaction, we first sign it with the private key corresponding to the address we control, proving to other network participants that we own the address making the transaction.
The signed transaction is then submitted to a node that validates it. At this point, the unconfirmed transaction can be seen on network explorers as nodes output the transaction ID. A miner node then accepts the transaction and maintains it in a pool before being included in a block.
Consequently, users’ metadata, IP addresses, and other critical information can be available to the public throughout this process. Linking this metadata with owners of NFTs and additional identifiable information, as seen above, can lead to dire consequences.
The OMNIA Protocol addresses the critical information being leaked and stops bots and other malicious actors from figuring out which transactions belong to who. OMNIA boosts users’ off-chain privacy by leveraging private mempools, which are private endpoints between users and miners, Flashbots, and more.
Holding $OMNIA and using the protocol allows users to boost their off-chain privacy and protect themselves against frontrunning and being targeted for their NFTs. The protocol leverages mixnets to enhance privacy in a manner similar to the one leveraged by the Tor browser to provide a 3-hop circuit designed to protect user privacy.
Omnia augments mixnets through state-of-the-art methods to obfuscate traffic. It also injects decoy traffic to guarantee users’ privacy. On top of that, it’s working on integrating private gateways for the Interplanetary File System (IPFS) for secure accessing NFT content.