Sometimes the NFT metadata is stored in centralized servers, thus being in control of the server’s owners. We developed a prototype tool that fetches the NFT metadata and tries to discover if the NFT is susceptible to this kind of vulnerability. The prototype is available at this site nftauditor.tech. It already integrates with Rarible URLs but is far away to be ready to use. We are looking for a grant to evolve this technology allowing the NFT user to be aware of this and other security problems.
Problem / Oportunity
In NFTs, the creator registers the metadata URI, which provides the data that represents the digital asset. The metadata URI is stored in the blockchain and should be immutable to guarantee the property and integrity of the digital asset. However, the metadata URI could point to external web2 dynamic servers, allowing the mutability of the data returned by the URI. The mutability of NFT metadata is a serious problem since the digital asset can be changed or be unavailable what could lead to fraud/thievery/loss of digital assets. Das et al.  researched security problems in the NFT ecosystem. They found that in a selection of about 8 million NFTs in OpenSea, 80,69% have the metadata URI pointing to services different than IPFS, i.e., possible centralized servers.
Funding Milestones and Payments
We already developed a working prototype of NFT Auditor, an open-source tool for checking NFT metadata against changeability. The status of the project is a working prototype hosted in the domain nftauditor.tech which can integrate with Rarible URLs and retrieve data directly from NFTs contracts. We are searching for grants/funding to evolve the project and develop the following scope:
Improve the accuracy of results and move from a prototype to a reliable service.
Improve connectivity to (a) download metadata not only from HTTP but also from other services such as IPFS and (b) work with all blockchain networks that Rarible can provide NFTs. Currently, we only support Ethereum.
Improve the user experience, by migrating from a website to a browser plugin. We expect to provide a reliable browser plug-in that integrates with the NFT marketplaces to alert users about metadata changeability.
Milestone 1 – Improve Reliability - 1 month - 5K USD
Elaborate a dataset collection strategy that guarantees the diversification of the NFTs collected. Collect an NFT dataset, with at least 1000 NFTs, and manually classify the cases when it is centralized or decentralized. Use the curated dataset to improve the rules that identify if the metadata is stored in a centralized or decentralized server. Integrate those rules into the application. Perform exploratory tests to verify if they worked as expected. We intend to achieve at least 95% accuracy in the classification.
Milestone 2 - Improve Connectivity - 1 month - 5K USD
Enable the application to download metadata and images/files from other sources than only using HTTP, such as IPFS and other protocols that may be found in the dataset. Add another way to connect to the Ethereum blockchain than using a MetaMask provider. The user shouldn’t need to have MetaMask installed to use the application or at least this shouldn’t be the only option. Connect with other blockchain networks than Ethereum.
Milestone 3 - Browser Plugin Development - Architecture and UX - 1 month - 5K USD
Move from web app to plugin Design and perform the architectural changes needed to move from a web app to a cross-browser plugin. Changes in the interface and presentation of data may be needed for improving the user experience when using a plugin.
Milestone 4 - Browser Plugin Development - Automated Tests and Doc - 1 month - 5K USD
Solve connectivity and interaction with other plugins, such as MetaMask, which may need changes as well. Develop automated system tests for the plugin. Produce source code documentation.
Milestone 5 - Browser-Specific Adjusts and Testing - 1 month - 5K USD
Adjusts and testing in Chrome/Chromium/Brave, Opera, and Firefox. Integrate, test, and fix bugs for running the plugin in those browsers. Develop pipeline tasks for building the plugin for these browsers and deploying new versions to the plugin store. Adjust automated tests to run in these browsers as well.
Milestone 6 – Operational System-Specific Adjusts, Testing, and Deployment - 1 month - 5K USD
Testing using Windows, Linux, and Mac. Fix bugs and perform eventually adjusts in the application to guarantee that the plugin works in all target browsers in those operational systems. Deploy the browser plugin to the application stores.
Use of Funds
The funds will be used to develop the software proposed. All milestones can be paid after the delivery thus minimizing the risk to Rari Foundation.
We plan to use the freemium business model for the NFT Auditor. The scope of this grand will be all free. Afterward, we plan to develop new features that will be available only for paid users.
Prof. Diogo Mendonça, Ph.D, PMP - Researcher, Software Architect, and Project Manager. (LinkedIn, GitHub)
He has about 20 years of experience in software development. Already played the roles of developer, software engineer, software architect, and project manager in several projects and companies.
Lucas Cruz - System Analyst and Developer (LinkedIn, GitHub)
Final semester undergraduate student in Computer Science at CEFET/RJ, currently employed as Full-Stack developer. Lucas has two years of experience as a developer. He is one of the former creators of the NFT auditor software, which was originally his final capstone project of the undergraduate course in Computer Science at CEFET/RJ, advised by Prof. Diogo.
Leonardo Souza - System Analyst and Developer (LinkedIn, GitHub)
B.Sc. in Computer Science at CEFET/RJ, currently employed as Full-Stack developer. Leonardo has two years of experience as a developer. He is one of the former creators of the NFT auditor software, which was originally his final capstone project of the undergraduate course in Computer Science at CEFET/RJ, advised by Prof. Diogo.
We will attend the community calls to report the status of the project. We will also deliver the milestones in the repository of the project with proper tags and branches. We will notify the Rari Foundation regarding the milestone delivery.
Why should Rarible DAO fund this?
NFT Auditor software will be able to let users feel more secure regarding NFTs. It will help to assure that the NFTs in Rarible Marketplaces are trustworthy and proper to be purchased.
Useful Links & Media
 DAS, Dipanjan et al. Understanding Security Issues in the NFT Ecosystem. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022. p. 667-681.