WakeMint: Detecting Sleepminting Vulnerabilities in NFT Smart Contracts

TL;DR

This paper introduces WakeMint, a symbolic execution-based tool that detects sleepminting vulnerabilities in NFT smart contracts by analyzing code features, achieving high precision on real-world data.

Contribution

It categorizes four types of sleepminting vulnerabilities, provides illustrative code examples, and presents WakeMint, a novel detection tool for preemptively identifying these issues.

Findings

Detected 115 sleepminting issues in 11,161 contracts

Achieved 87.8% precision in vulnerability detection

Demonstrated effectiveness across different Solidity versions

Abstract

The non-fungible tokens (NFTs) market has evolved over the past decade, with NFTs serving as unique digital identifiers on a blockchain that certify ownership and authenticity. However, their high value also attracts attackers who exploit vulnerabilities in NFT smart contracts for illegal profits, thereby harming the NFT ecosystem. One notable vulnerability in NFT smart contracts is sleepminting, which allows attackers to illegally transfer others' tokens. Although some research has been conducted on sleepminting, these studies are basically qualitative analyses or based on historical transaction data. There is a lack of understanding from the contract code perspective, which is crucial for identifying such issues and preventing attacks before they occur. To address this gap, in this paper, we categoriz four distinct types of sleepminting in NFT smart contracts. Each type is accompanied by a comprehensive definition and illustrative code examples to provide how these vulnerabilities manifest within the contract code. Furthermore, to help detect the defined defects before the sleepminting problem occurrence, we propose a tool named WakeMint, which is built on a symbolic execution framework and is designed to be compatible with both high and low versions of Solidity. The tool also employs a pruning strategy to shorten the detection period. Additionally, WakeMint gathers some key information, such as the owner of an NFT and emissions of events related to the transfer of the NFT's ownership during symbolic execution. Then, it analyzes the features of the transfer function based on this information so that it can judge the existence of sleepminting. We ran WakeMint on 11,161 real-world NFT smart contracts and evaluated the results. We found 115 instances of sleepminting issues in total, and the precision of our tool is 87.8%.