WakeMint: Detecting Sleepminting Vulnerabilities in NFT Smart Contracts
The non-fungible tokens (NFTs) market has evolved over the past decade, with NFTs serving as unique digital identifiers on a blockchain that certify ownership and authenticity. The trading attributes of NFTs have drawn many users and investors. However, their high value also attracts attackers who exploit vulnerabilities in NFT smart contracts for illegal profits, thereby harming the NFT ecosystem. One notable vulnerability in NFT smart contracts is sleepminting, which allows attackers to illegally transfer others’ tokens. Although some research has been conducted on sleepminting, these studies are predominantly qualitative analyses or based on historical transaction data. There is a lack of understanding from the contract code perspective, which is crucial for identifying such issues and preventing attacks before they occur.
To address this gap, in this paper, we categorize the sleepminting issue and find four distinct types of sleepminting in NFT smart contracts. Each type is accompanied by a comprehensive definition and illustrative code examples to provide a clear understanding of how these vulnerabilities manifest within the contract code. Furthermore, to help detect the defined defects before the sleepminting problem occurrence, we propose a tool named WakeMint, which is built on a symbolic execution framework. WakeMint is designed to be compatible with both high and low versions of Solidity, ensuring broad applicability across various smart contracts. The tool also employs a pruning strategy to shorten the detection period. Additionally, WakeMint gathers some key information, such as the owner of an NFT and emissions of events related to the transfer of the NFT’s ownership during symbolic execution. Then, it analyzes the features of the transfer function based on this information so that it can judge the existence of sleepminting. We ran WakeMint on 11,161 real-world NFT smart contracts and evaluated the results. We found 115 instances of sleepminting issues in total, and the accuracy of our tool is 87.8%.