Web3 applications (including NFTs) aren’t just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) than conventional applications do. Further, Web3 apps are desirable targets because tokens can be worth substantial sums of money. With companies from Gucci to State Farm Insurance launching NFTs or becoming involved with other Web3 projects, security pros need to understand what the key threats are — both on-chain and off-chain — and what they can do to mitigate them. In this report, we provide a high-level overview of the most important risks and how to mitigate them.