WakeMint: Detecting Sleepminting Vulnerabilities in NFT Smart Contracts
Lei Xiao, Shuo Yang, Wen Chen, Zibin Zheng
TL;DR
The work addresses the security risk of sleepminting in NFT smart contracts by formalizing four code-level sleepminting types and delivering WakeMint, a symbolic-execution-based detector. WakeMint combines source/bytecode analysis, AST-driven function pruning, and a constraint-based analyzer to detect sleepminting across Solidity versions, demonstrated on 11,161 real-world contracts with 115 confirmed cases and 87.8% precision. The key contributions are the four-type taxonomy with concrete code patterns, the WakeMint tool with a practical pruning strategy, and a large-scale evaluation that highlights both the prevalence of sleepminting and actionable detection capabilities. This approach provides developers and platforms with a proactive means to audit NFT contracts before deployment, enhances trust in the NFT ecosystem, and offers public access to the tool and data for further research.
Abstract
The non-fungible tokens (NFTs) market has evolved over the past decade, with NFTs serving as unique digital identifiers on a blockchain that certify ownership and authenticity. However, their high value also attracts attackers who exploit vulnerabilities in NFT smart contracts for illegal profits, thereby harming the NFT ecosystem. One notable vulnerability in NFT smart contracts is sleepminting, which allows attackers to illegally transfer others' tokens. Although some research has been conducted on sleepminting, these studies are basically qualitative analyses or based on historical transaction data. There is a lack of understanding from the contract code perspective, which is crucial for identifying such issues and preventing attacks before they occur. To address this gap, in this paper, we categoriz four distinct types of sleepminting in NFT smart contracts. Each type is accompanied by a comprehensive definition and illustrative code examples to provide how these vulnerabilities manifest within the contract code. Furthermore, to help detect the defined defects before the sleepminting problem occurrence, we propose a tool named WakeMint, which is built on a symbolic execution framework and is designed to be compatible with both high and low versions of Solidity. The tool also employs a pruning strategy to shorten the detection period. Additionally, WakeMint gathers some key information, such as the owner of an NFT and emissions of events related to the transfer of the NFT's ownership during symbolic execution. Then, it analyzes the features of the transfer function based on this information so that it can judge the existence of sleepminting. We ran WakeMint on 11,161 real-world NFT smart contracts and evaluated the results. We found 115 instances of sleepminting issues in total, and the precision of our tool is 87.8%.