NFT Smart Contract Vulnerabilities

NFT Smart Contract Vulnerabilities Explained in Detail

NFT vulnerabilities often sit around ownership and scarcity. The contract promises that only certain users can mint, each token has a valid owner, supply limits hold, and metadata changes follow the rules.

The risky parts are usually not exotic. They are weak mint checks, broad operator approvals, unsafe receiver hooks, mutable metadata, broken allowlists, and marketplace assumptions.

Smart contract example

function mint() external {
    _safeMint(msg.sender, nextId++);
    minted[msg.sender] = true;
}

If _safeMint calls a receiver hook before minted[msg.sender] is set, a malicious receiver may reenter and mint again.

NFT Smart Contract Vulnerabilities in Auditing

NFT contracts can hold meaningful value even when the code is small. A single missed check can break supply caps, token ownership, allowlists, or marketplace safety.

Auditors review NFT contracts with special attention to reentrancy, access control, weak randomness, and Merkle proof usage.

Red flags in code

• Public minting has no cap, price check, or eligibility check.

• Metadata can be changed by an unexpected caller.

• Receiver hooks run before mint limits or ownership state is finalized.

• setApprovalForAll behavior is customized without careful review.

• Random token assignment uses predictable block data.

How to test or review it

• Test unauthorized minting, transfers, burns, and metadata updates.

• Try reentrancy through ERC721 and ERC1155 receiver hooks.

• Check supply caps, per-wallet caps, allowlist proofs, and sale phase transitions.

• Review approval and operator flows used by marketplaces.

• Verify metadata behavior before mint, after mint, after burn, and after admin updates.