NFTs have become a phenomenon that reached far outside the typical crypto bubble, straight into normie territory. But with floor prices skyrocketing they have also become a very valuable target for digital thieves.
The most recent exploit at the time of writing earned the thief a collection of Moonbirds, valued at approximately $1.5M; all taken from a single collector. This wasn't the only or the biggest hack and a look at https://web3isgoinggreat.com/ reveals a horrifying amount of wealth that has been transferred to new owners.
But was it always against the original owner's will?
A very common attack is to target a specific user, entangle them in talks about doing an OTC deal, sending them a link to a bogus trading site and just waiting for the target to approve the transfer.
A less common but more sophisticated attack would require the attacker to phish the private key or seed phrase of a specific wallet and then transferring the desired token to a new wallet, owned by the attacker.
But no matter which scenario we're looking at, they all have one weak spot that is being targeted: you.
The rush for quick money and wealth brought many people into the crypto space that have no desire to learn how anything actually works or why sending pictures of their private keys to a Telegram chat is not a good idea. Most exploits involving theft of NFTs or other tokens were successful because the users had no idea what they were doing when they sent the faithful transaction.
After theft occurred, a common thing to read on "NFT Twitter" is something along the lines of "if only the victim had been using a hardware wallet", a laughable statement when taken into account that most exploits bank on users blindly sending transactions without knowing what they're doing.
A hardware wallet is basically an air gapped machine that is incapable of accidentally leaking a private key to the computer it is connected to. This does not mean that the private key can't be obtained or that the user can't be coaxed into a snafu. Social engineering is the biggest threat to every wallet and no amount of air gapping will make that less dangerous or the wallet more secure.
So what are you supposed to do then?
One of the easiest security enhancements you could go through with is to set up a Gnosis Safe. This essentially generates a smart contract for you where you can add "signers". The contract essentially acts as a treasury and needs a certain amount of signers to execute a transaction. Usually this setup is used in DAOs and all signers are different users. However for your own security you can set up a 2/2 signer safe where one signer is your Metamask wallet, and the second one can be a wallet on your smartphone, i.e. Rainbow.
This decreases the risk of getting your assets stolen by a compromised private key significantly, as the attacker now has to get hold of two different keys to operate the safe.
As secure as this is, it is also very inconvenient and I wouldn't recommend this setup for daily operations or token trades. Using it as a treasury where direct interaction with the tokens is not required frequently is a pretty good choice.
Sounding too good to be true, there is a catch.
A Gnosis Safe is not exempt from exploits that just require blind user input. If you approve token balances on contracts you have not reviewed or simply accept a bogus trade on a third party site, the safe won't save you.
It is ultimately up to you to stay vigilante and not get pushed by FOMO to do things without thinking about what exactly you're doing.