A Blockchain & Web 3 Publication creating precise insights and easy to follow guides for User on-boarding.
A Blockchain & Web 3 Publication creating precise insights and easy to follow guides for User on-boarding.
Share Dialog
Share Dialog
Subscribe to In-blok
Subscribe to In-blok
With the advent of new technologies , bad actors always find a way to exploit it. Web 3 has seen a lot of growth in the past few years. a lot of massive growth and growing adoption amongst the people. Web 3 brought a revolution called decentralization into almost all sectors though its not at maturity yet but its getting there. it promises privacy , security and freedom of expression in all spheres. we have seen a lot of hacks in web 3 , in DEFI, centralized exchanges, rugged projects , NFT hacks to name a few. In web 3, you can't always rely on third-party services to secure you. You are the custodian of your wallets. more reasons you have to take charge of your security. There lots of ways to around this but the easiest is getting separate wallets for trading, mint and storage.
The bear market changed the NFT meta and created a 'Free Mint' movement which appealed to certain sector of the NFT space. Projects , NFT traders and Degens hopped on this movement likewise the bad actors hijacked the trend for illicit gains. The new NFT wallet draining exploit is taking shape that uses a mixture of social engineering and takes advantages of the "Degen meta".
This trend/movement was championed by GoblinTown NFT. Afterwards , a lot of project rode on this wave to bring their projects to life. The Basis of the meta is paying nothing for the NFT, no roadmap, no utility, just some art work. they usually create a community after minting , roadmap and further development. this value prop is nice in a bear market because there is no financial risk to minting.
The bad actors/hackers use this to their advantage. Instead of creating fake projects to rip people of their assets, instead they create FOMO, inducing free "degen" mint projects that trick people into granting them access to transfer NFTs and other Assets out of one's wallet.
Usually they start by using legitimate services like https://www.premint.xyz to create raffles for their pre-sale list. Premint does not do any vetting on all projects using their services, however many people don't know this and think these raffles are "endorsed by premint". Premint put so much effort into alerting its users. A modal pops up when leaving the premint website warning users of possible hacks and checking all instructions before signing transactions.
To make things worse, there is a feature that allows raffle creators to put certain requirements like "must hold a Moonbirds NFT" in order to enter. This can be done without the consent of the project owner, so fake raffles can be made that seem to have been endorsed by them.
So now when it comes to mint the "allow-list sale" you are minting with your wallet that probably still holds the high value NFT that was required to participate in the raffle in the first place.
This is where your NFTs get stolen
A workflow of how the heist is being pulled is analyzed below:
The Project creates a mint site, a contract and a premint campaign
on the premint campaign, certain requirements are like you must hold very expensive NFT e.g BAYC, moonbirds etc in order to qualify for the raffles.
Their minting website is a copy of other successful projects or badly designed minting website with a connect and mint button.
Once you connect your wallet, a malicious code is executed.
This scans through your address contents for NFT assets
Use Opensea's API to determine the most expensive NFTs
finds the smart contract of the NFT
Once you click "mint", It generates a transaction that interacts with the contract of the most expensive NFTs. This transaction grants the scammers access to transfer out your NFT. This is called the setApprovalForAll Function. We hope Metamask work on creating a modal or kind of notifications to alert the user when the setApprovalForAll function is called.
In the steps highlighted above, you have granted access to your NFT Assets thinking you have minted a free mint. The exploit is so successful due they bank on the Premint brand and its not vetted. creating hype around a free mint on twitter is easy because it appeals to human psychology. everyone wants a free mint. high value wallets and influencers hop on free mints, shilling it to their followers to do the same.
We have seen the same method used over and over again lately for many projects. they are easy to detect now. once you see them, always interact with a burner wallet.
If you think you've been impacted by one of these heist, make sure to revoke access to all of your high value NFTs through https://revoke.cash or transfer them out ASAP to a hardware wallet or a new wallet entirely.
NOTE: when creating a burner wallet, don't make the mistake of adding a sub-account under your account. for example, on Metamask, don't add another account. instead, create a new wallet with a seed phrase and once you finished minting, move your asset to your storage wallet. I'd suggest you have three wallets, a trading wallet, minting wallet and storage wallet. Your storage wallet could be hardware wallet.
You the custodian of your assets take action, get a hardware wallet from our partners. one of the best products out there. click on this link to get Ledger Nano S Plus
Thanks for staying till the end. We write informative contents on Web3 every now and then, follow us on Twitter @real_blok
With the advent of new technologies , bad actors always find a way to exploit it. Web 3 has seen a lot of growth in the past few years. a lot of massive growth and growing adoption amongst the people. Web 3 brought a revolution called decentralization into almost all sectors though its not at maturity yet but its getting there. it promises privacy , security and freedom of expression in all spheres. we have seen a lot of hacks in web 3 , in DEFI, centralized exchanges, rugged projects , NFT hacks to name a few. In web 3, you can't always rely on third-party services to secure you. You are the custodian of your wallets. more reasons you have to take charge of your security. There lots of ways to around this but the easiest is getting separate wallets for trading, mint and storage.
The bear market changed the NFT meta and created a 'Free Mint' movement which appealed to certain sector of the NFT space. Projects , NFT traders and Degens hopped on this movement likewise the bad actors hijacked the trend for illicit gains. The new NFT wallet draining exploit is taking shape that uses a mixture of social engineering and takes advantages of the "Degen meta".
This trend/movement was championed by GoblinTown NFT. Afterwards , a lot of project rode on this wave to bring their projects to life. The Basis of the meta is paying nothing for the NFT, no roadmap, no utility, just some art work. they usually create a community after minting , roadmap and further development. this value prop is nice in a bear market because there is no financial risk to minting.
The bad actors/hackers use this to their advantage. Instead of creating fake projects to rip people of their assets, instead they create FOMO, inducing free "degen" mint projects that trick people into granting them access to transfer NFTs and other Assets out of one's wallet.
Usually they start by using legitimate services like https://www.premint.xyz to create raffles for their pre-sale list. Premint does not do any vetting on all projects using their services, however many people don't know this and think these raffles are "endorsed by premint". Premint put so much effort into alerting its users. A modal pops up when leaving the premint website warning users of possible hacks and checking all instructions before signing transactions.
To make things worse, there is a feature that allows raffle creators to put certain requirements like "must hold a Moonbirds NFT" in order to enter. This can be done without the consent of the project owner, so fake raffles can be made that seem to have been endorsed by them.
So now when it comes to mint the "allow-list sale" you are minting with your wallet that probably still holds the high value NFT that was required to participate in the raffle in the first place.
This is where your NFTs get stolen
A workflow of how the heist is being pulled is analyzed below:
The Project creates a mint site, a contract and a premint campaign
on the premint campaign, certain requirements are like you must hold very expensive NFT e.g BAYC, moonbirds etc in order to qualify for the raffles.
Their minting website is a copy of other successful projects or badly designed minting website with a connect and mint button.
Once you connect your wallet, a malicious code is executed.
This scans through your address contents for NFT assets
Use Opensea's API to determine the most expensive NFTs
finds the smart contract of the NFT
Once you click "mint", It generates a transaction that interacts with the contract of the most expensive NFTs. This transaction grants the scammers access to transfer out your NFT. This is called the setApprovalForAll Function. We hope Metamask work on creating a modal or kind of notifications to alert the user when the setApprovalForAll function is called.
In the steps highlighted above, you have granted access to your NFT Assets thinking you have minted a free mint. The exploit is so successful due they bank on the Premint brand and its not vetted. creating hype around a free mint on twitter is easy because it appeals to human psychology. everyone wants a free mint. high value wallets and influencers hop on free mints, shilling it to their followers to do the same.
We have seen the same method used over and over again lately for many projects. they are easy to detect now. once you see them, always interact with a burner wallet.
If you think you've been impacted by one of these heist, make sure to revoke access to all of your high value NFTs through https://revoke.cash or transfer them out ASAP to a hardware wallet or a new wallet entirely.
NOTE: when creating a burner wallet, don't make the mistake of adding a sub-account under your account. for example, on Metamask, don't add another account. instead, create a new wallet with a seed phrase and once you finished minting, move your asset to your storage wallet. I'd suggest you have three wallets, a trading wallet, minting wallet and storage wallet. Your storage wallet could be hardware wallet.
You the custodian of your assets take action, get a hardware wallet from our partners. one of the best products out there. click on this link to get Ledger Nano S Plus
Thanks for staying till the end. We write informative contents on Web3 every now and then, follow us on Twitter @real_blok
<100 subscribers
<100 subscribers
No activity yet