NFTDELTA: Detecting Permission Control Vulnerabilities in NFT Contracts through Multi-View Learning

TL;DR

NFTDELTA is a novel framework that combines static analysis and multi-view learning to effectively detect permission control vulnerabilities in NFT contracts, significantly improving security in NFT ecosystems.

Contribution

It introduces a multi-view learning approach using CFG-based features from static analysis to identify permission vulnerabilities in NFT contracts.

Findings

Detected 241 permission control vulnerabilities in 795 NFT collections.

Achieved an average precision of 97.92% and an F1-score of 81.09%.

Demonstrated high reliability, efficiency, and scalability of NFTDELTA.

Abstract

Permission control vulnerabilities in Non-fungible token (NFT) contracts can result in significant financial losses, as attackers may exploit these weaknesses to gain unauthorized access or circumvent critical permission checks. In this paper, we propose NFTDELTA, a framework that leverages static analysis and multi-view learning to detect permission control vulnerabilities in NFT contracts. Specifically, we extract comprehensive function Control Flow Graph (CFG) information via two views: sequence features (representing execution paths) and graph features (capturing structural control flow). These two views are then integrated to create a unified code representation. We also define three specific categories of permission control vulnerabilities and employ a custom detector to identify defects through multi-view feature similarity analysis. Our evaluation of 795 popular NFT collections identified 241 confirmed permission control vulnerabilities, comprising 214 cases of Bypass Auth Reentrancy, 15 of Weak Auth Validation, and 12 of Loose Permission Management. Manual verification demonstrates the detector's high reliability, achieving an average precision of 97.92% and an F1-score of 81.09%. Furthermore, NFTDELTA demonstrates enhanced efficiency and scalability, proving its effectiveness in securing NFT ecosystems.