WEB3 ANTI-FRAUD SECURITY KNOWLEDGE — — NFT Phishing
0x01 Deploy contract + mint NFT
- 1 Platform
The contract is issued on the Rinkeby testnet
2.2 Main contract logic
contract address:0x5e6893BeEAd9718B1b41741065BA3C3c8848737D
The main contract code is as follows:
- The function constructor is used to define the name and identifier of the NFT;
- safeMint will mint 1 NFT for the target address, and automatically increment the tokenId, and use this ID in the next minting;
- _baseURI is a fixed link that prefixes all tokenURI;
- tokenURI is spliced by _baseURI + tokenId, the link stores MetaData;
- MetaData stores the token information required by NFT trading websites, such as NFT description, tag attributes, image address, etc.
In this example contract:
• Main contract name:MyNFT
• The issuing NFT is named Doge and the identifier is DG
• _baseURI ipfs://QmYjZ3Df23fqPyNXmMySEgKN5PkZa3f664G4uY1wuSfzSF/
- tokenURI is _baseURI + tokenID
Note: OpenSea will recognize the MetaData of the URI of the token held in the account
ipfs upload image and tokenId and MetaData association
Using the https://www.pinata.cloud website, you can upload images to the ipfs network for free.
After uploading all the pictures, create a new local folder to create an index file — a plain text file with a serial number of a natural number, and the content of the file is MetaData:
Note: The image link in MetaData is the image address just uploaded to the ipfs network.Then upload the folder to the ipfs network, and its address is the return value of the contract _baseURI function.
Minting
Two NFTs are minted with the account that deploys the contract, and the transaction hashes are:
- 0x6c8fc146813bdac9bf0100dfb3c5105c0951d2048978b5d86376c03acbf63a09
- 0xea0aa7bcf7072db62ee77a8ed938db23e47c81af1a5842381c9d8a7005534cd7
we will see on Opensea
0x02 Phishing attack
contract
- Platform:Rinkeby
- Address:0x8AdF4a5029d409ef9610D647584b411b2Bea0916
Use web3 to call the setApprovalForAll function of the smart contract and display it as a Mint button on the front-end page.
The sample code chooses the Rust programming language, relies on the web3 library of crates.io, compiles it to WASM, and runs in the browser.
Next, use the Yew framework, connect the wallet when creating the page, and bind the click event of the Mint button to the phishing function.
You can refer to this document:
0x03 trunk serve — release
This builds the project locally and serves the web page.
Phishers posted phishing links to Telegram groups, Twitter, and other places, and claimed that the project party can currently mint for free.
If the user clicks the Confirm button without looking carefully at what the transaction has done, the authorization will be executed:
https://rinkeby.etherscan.io/tx/0xee08460fa306a5cbcd06f370846a9b8aaa5fe6c33d6191d3dc6853ce2e22a082
After the phisher executes the authorization, he must be able to see the words SetApprovalForAll in the Transaction of the contract and see the address authorized to the target account in the transaction details.
If the authorized target account is the hacker’s address, the corresponding From is the victim’s address. Track the victim’s address to get the token IDs of all NFTs under its name:
Transfer the victim’s NFT
Use the transfer function provided by the contract to transfer the specified NFT. The transaction link is as follows:
https://rinkeby.etherscan.io/tx/0x67c4fd9392e209b5666ea6c2fa5901b761f78a8da1bccc3b18fd5b755613d7e8
Sell NFTs
Accessing this page with another account will have a buy button: https://testnets.opensea.io/assets/rinkeby/0x8adf4a5029d409ef9610d647584b411b2bea0916/0
Buy NFTs
https://rinkeby.etherscan.io/tx/0xe71ed2192a0f3bfa64a33dd3f842c6afef340d0261eec8fc8d0d6b829214ac72
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing
