Recently, the birth of non-fungible tokens (NFTs) has attracted great attention. NFTs are capable of representing users' ownership on the blockchain and have experienced tremendous market sales due to their popularity. Unfortunately, the high value of NFTs also makes them a target for attackers. The defects in NFT smart contracts could be exploited by attackers to harm the security and reliability of the NFT ecosystem. Despite the significance of this issue, there is a lack of systematic work that focuses on analyzing NFT smart contracts, which may raise worries about the security of users' NFTs. To address this gap, in this paper, we introduce 5 defects in NFT smart contracts. Each defect is defined and illustrated with a code example highlighting its features and consequences, paired with possible solutions to fix it. Furthermore, we propose a tool named NFTGuard to detect our defined defects based on a symbolic execution framework. Specifically, NFTGuard extracts the information of the state variables from the contract abstract syntax tree (AST), which is critical for identifying variable-loading and storing operations during symbolic execution. Furthermore, NFTGuard recovers source-code-level features from the bytecode to effectively locate defects and report them based on predefined detection patterns. We run NFTGuard on 16,527 real-world smart contracts and perform an evaluation based on the manually labeled results. We find that 1,331 contracts contain at least one of the 5 defects, and the overall precision achieved by our tool is 92.6%.

翻译：近期，非同质化代币（NFT）的诞生引发了广泛关注。NFT能够在区块链上代表用户的所有权，并因其受欢迎程度而经历了巨大的市场销售。不幸的是，NFT的高价值也使其成为攻击者的目标。NFT智能合约中的缺陷可能被攻击者利用，从而损害NFT生态系统的安全性和可靠性。尽管这一问题意义重大，但目前缺乏系统性的工作来重点分析NFT智能合约，这可能引发用户对NFT安全的担忧。为弥补这一空白，本文介绍了NFT智能合约中的5种缺陷。每种缺陷均通过代码示例定义并阐明其特性与后果，同时提供相应的修复方案。此外，我们提出了一种名为NFTGuard的工具，基于符号执行框架检测所定义的缺陷。具体而言，NFTGuard从合约抽象语法树（AST）中提取状态变量的信息，这对符号执行过程中识别变量加载与存储操作至关重要。进一步地，NFTGuard从字节码中恢复源代码级特征，以有效定位缺陷，并根据预定义检测模式进行报告。我们在16,527个真实智能合约上运行NFTGuard，并基于人工标注结果进行评估。研究发现，其中1,331个合约至少包含一种缺陷，且工具的整体精度达到92.6%。