Something you need to know to avoid getting scammed(Extended part)

If you have read this, so this is an extension part of this article, so let's dive into more details

0x01 Ledger

The last article we mentioned about Transactions is created in metamask (or your wallet of choice) and handed over to the hardware device where you must physically sign them. A hardware wallet is a dedicated device used to generate and store your seed phrase securely while allowing you to interact with various chains in all of the ways you would normally expect. The Ledger is one such wallet.

When you first turn on your ledger, it will ask if you’d like to recover from seed or generate a new one. You may be tempted to import your existing m*tam*sk wallet. Importing a seed that was generated online offers about as much protection as this gate would your new home.

If you want to take it a step further, consider recording your phrase on something that is inherently more resistant to natural disasters. Cryptosteel is a popular option for this. No matter where you choose to store your seed, MAKE SURE YOU HAVE A BACKUP!

Additionally, I would suggest adding a passphrase, or “25th” word to your seed, and attaching it to a unique PIN on your device. It’s one last layer of defense against attackers. You can get set up with a 25th word using Ledger’s official guide:

you can store your passphrase somewhere online, like a password manager, as a form a 2fa for your seed phrase. If somebody does get a hold of your seed phrase, it recovers an entirely different set of wallets than your seed phrase + 25th word.

With a hot wallet, if you’re not careful (and sometimes even if you are), one bad click can result in your entire wallet being drained. ETH, NFTs, ERC20s, gone. It’s what happened to @Arthur_0x back in March. Hot wallet keeps your seed safely offline.

Your hardware wallet can also protect you from address switcharoos. Imagine a scenario where you’re sending eth. When you go to submit the tx, malware switches out the receiving address to an attacker’s address, but on your end it still shows you your intended address.

Hardware Wallet: You can double-check the address on the device itself. In fact, you SHOULD make it a habit to double-check the addresses you’re interacting with from your hardware wallet.

It won’t stop you from granting dangerous approvals and losing your NFTs/ERC20s that way. If you set an approval, you’re allowing another address (usually a contract) to move assets for you. They do not need your key, so a HW wallet will not save you.

0x02 MoshiMochiNFT was hacked

The moment MoshiMochiNFT was hacked, and a fake announcement was posted claiming a surprise mint of 1,000 extra NFTs. Surprise, limited mints are often used by scammers to convince you to act quickly, or risk missing out. More urgency = less critical thinking.

https://etherscan.io/address/0x5a5efd599b8448e6ab80822ade9ef452a6c7801d

In a nutshell, hackers made off with a little over 33E from transfers alone. Not a bad payday for a day’s work, but also far from the end of it. After the transfer, users were prompted to sign more transactions. These were `setApprovalForAll` calls, which allow an address to spend an asset for you. Below is the BAYC contract: It sets an address (the operator) to be approved (this can either be true or false).

This calls the BAYC contract, and sets approved to “true” for address 0xD27045A8506369a60A227b44bEaDb2Aed2099d70 (the scammer).

This is important because that’s the only requirement needed for the scammer to then call `transferFrom`, passing in any receiving address (in this case his own), and any BAYC token ID that iloveponzi owns to execute a transfer.

Approvals were also set in the same way for MAYC, BAKC, and Doodles. Each is a separate transaction, but when you’re rushing to mint, you’re not paying attention.Approvals are super helpful in certain cases. For instance, OpenSea needs approval to move your assets in order to execute a sale on your behalf.

Notice that you can see what site it’s coming from (http://opensea.io), what contract it’s calling (top right), and what method it’s calling (Set Approval For All). If any of those look wrong to you, RUN AWAY. If you’re trying to mint, you probably don’t want to set approval to the BAYC contract. If you’re trying to sign a message to receive a POAP on http://funfakepoaps.com, that message probably shouldn’t be coming from http://opensea.io.One surefire way to not get scammed is to not be first. I say it all the time, but urgency is the best tool scammers have against you. Wait and see, let others participate first. At the very least it’ll save you stress, at most it’ll save your net worth.

0x03 premint.xyz

Few days ago user cousteau8383pop had two goblins stolen through a fake, malicious project website that leveraged http://premint.xyz in order to seem legitimate. Today, they were stolen again. let’s see how it goes `setApprovalForAll`, what it means, and how not to get rekt 1/

First of all, it’s important to know that http://premint.xyz is a fantastic tool for projects, but they are NOT a stamp of approval. Any project can set up a premint page, regardless of whether of not they’re a rug, scam, or some other bamboozle.

But many people don’t know that, and Cousteau was one such person. They were directed to a mint site for a fake project, where the mint button actually directed to a `setApprovalForAll` for the most valuable NFT in your wallet.This approval allows the attacker to move any asset from that collection on your behalf. In this case, the project was goblintownwtf, and Cousteau had two: 5701 and 7200. They were both promptly moved to an address owned by the attacker.

The damage doesn’t end there. Cousteau took the lumps but carried on, and bought another goblin (6243) right away, and even bought 5701 back the following day. However, they did not revoke the approval that allowed the attacker to move goblins.

Most scammers will set up a bot that transfers these tokens out automatically, but this one must have been doing it manually. The goblins sat untouched for 6 days before being stolen again today. Either the attacker was waiting for Cousteau to buy more goblins before wiping them out, or they simply didn’t notice until today that they were there for the taking. Either way, there’s an easy solution for this: you can remove any approvals set athttps://revoke.cash/

Note that revoking approvals calls the same function as setting them: `setApprovalForAll`. The function requires an operator (the address that you’re giving permission to), and a boolean (true or false). When granting approvals, this boolean is true. When removing them, false.

You can always check which it is by navigating to the “data” tab in MM. Always be careful, because there are fake revocation sites out there that will trick you into calling approvals with the flag set to true.

You can also do this semi-manually via etherscan. The `isApprovedForAll` function in the “Read” tab of the project contract will tell you if the approval exists. It requires two addresses: yours and the operator. You can see plugging Cousteau and the attacker in returns true:

To remove the approval, simply navigate to the “Write” tab, locate `setApprovalForAll`, and manually enter the operator address to remove, as well as ‘false’ in the “approved” field. Confirm the transaction in MM, and `isApprovedForAll` should now show false.

END

ref:https://twitter.com/0xQuit/status/1549558331517259776

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
lunaray

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.