VULTBASEIntelligence Platform
All Articles

Smart Contract Security

NFT Smart Contract Security: Beyond the JPEG — Vulnerabilities in ERC-721 and ERC-1155

Kennedy OwiroDecember 14, 20258 min read

NFTs may seem simple — mint, transfer, done. But ERC-721 and ERC-1155 smart contracts have their own class of vulnerabilities: reentrancy via safe transfer callbacks, unlimited minting exploits, metadata manipulation, and signature-based mint abuse. With NFT trading volume reaching billions, these bugs have real consequences.

1. Safe Transfer Reentrancy

ERC-721's safeTransferFrom calls onERC721Received on the recipient. This callback enables reentrancy — exactly the same pattern as ETH transfer reentrancy but often overlooked in NFT contracts.

// VULNERABLE: Callback before state update
function mint(uint256 quantity) external payable {
    require(totalMinted + quantity <= MAX_SUPPLY);
    for (uint i = 0; i < quantity; i++) {
        _safeMint(msg.sender, nextTokenId++);
        // _safeMint calls onERC721Received → attacker re-enters mint()
    }
    totalMinted += quantity;  // Too late!
}

2. Mint Quantity Manipulation

Missing per-wallet limits, missing total supply checks, or integer overflow in quantity calculations allow minting beyond intended limits.

// SECURE: Per-wallet limit with state update first
mapping(address => uint256) public minted;

function mint(uint256 quantity) external payable {
    require(minted[msg.sender] + quantity <= MAX_PER_WALLET, "Exceeds limit");
    require(totalSupply() + quantity <= MAX_SUPPLY, "Exceeds supply");
    require(msg.value >= price * quantity, "Insufficient payment");
    minted[msg.sender] += quantity;  // Update state FIRST
    for (uint i = 0; i < quantity; i++) {
        _safeMint(msg.sender, nextTokenId++);
    }
}

3. Signature-Based Allowlist Abuse

Many NFT drops use off-chain signatures for allowlists. Without nonces or expiry, signatures can be replayed endlessly.

4. Metadata Manipulation

If metadata URIs are mutable and the owner can change them, rare NFTs can be swapped to common ones after sale. Always use immutable metadata or IPFS content hashes.

5. Royalty Bypass

ERC-2981 royalties are not enforced on-chain — marketplaces can ignore them. Solutions include operator filters (OpenSea's approach) or protocol-level enforcement.

NFT Security Checklist

  • ✅ Use ReentrancyGuard on mint functions (safe transfer callbacks)
  • ✅ Enforce per-wallet and total supply limits
  • ✅ Include nonces and expiry in allowlist signatures
  • ✅ Use immutable metadata or IPFS content addressing
  • ✅ Implement withdrawal patterns for collected ETH
  • ✅ Test with contracts as minters (not just EOAs)

How Vultbase Audits NFT Contracts

  1. Pattern DB — NFT-specific patterns for mint abuse, callback reentrancy, and signature replay
  2. Challenge Execution — Tests mint functions with adversarial contracts
  3. Access Control — Validates admin functions (metadata updates, withdrawals)

NFT contracts handle real money. Audit yours before the mint goes live.

NFTERC-721ERC-1155mint securitymetadataroyaltysmart contract security
Share

Written by

Kennedy Owiro

Founder & CTO, Vultbase

14+ years building security and QA systems at scale. Background in fintech security and Web3 smart contract testing. Built Vultbase's Intelligence Engine with 1,200+ exploit patterns from $40B+ in historical DeFi losses.

Related Articles

Smart Contract Security

Reentrancy Attacks Explained: How DeFi Lost Billions and How to Prevent It

12 min read

Smart Contract Security

Access Control Vulnerabilities in Smart Contracts: The Silent Permission Crisis

10 min read

DeFi Security

Oracle Manipulation: How Price Feed Exploits Drain DeFi Protocols

11 min read

Protect your protocol before launch.

Submit your smart contracts for automated security analysis powered by 1,200+ real exploit patterns.

Start Your Audit →