People are losing millions in NFTs to phishing attacks. Here's how I think we can prevent that.
As NFTs have gained value, they are increasingly becoming targets of attacks. Here's how I think better design can help protect our assets
Hey everyone,
A couple of quick announcements: first, the new Degen University website is live, which has all our educational resources in one place (including a new guide) as well as merch.
Second, Degen University will be hosting a series of Twitter spaces for Decentral Art Pavillion, taking place in Venice 2022. Join me on Thursdays as I walk everyone through a crash course on crypto, NFTs and blockchains.
I’m excited to host and hope to see some of you there!
NFTs worth millions are regularly stolen
Where there is value, there are bad actors In crypto, we see that in NFTs - @boredapeyc are often targets of attacks, like this ape that was stolen during the BAYC merch drop In this two-part thread, let's first break down how this happened + how you can protect yourself. 👇 🧵
To start, let's adopt the mindset of a hacker. As a hacker, it's easiest to succeed in stealing an NFT when a person's guard is down and FOMO is high. As in, when emotions are operating (vs your logical brain), you're most susceptible to an attack. The most common is a phishing attack. This is when a hacker creates a website that masquerades as the real one in hopes of getting your belongings In web2, this meant credit cards and passwords. In web3, this is the contents of your wallet or seed.
web2 security vs web3
In web2, you had a failsafe: credit card chargebacks and updating passwords. However, web3 is centred on ownership and self-custody. Meaning, once your wallet is compromised, that's it. They've got your assets. No do-overs. In web3, you play for keeps. That's the dark side of self-custody and ownership - a severe problem we need to create elegant solutions for (more on this later) But hackers are clever. You don't just create a phishing site and hope someone falls for it; you wait for the right timing.
To steal NFTs, timing is everything
The best timing is when NFT projects ask their holders to verify ownership. "Proof of ownership" is simply a project asking you to confirm you own a specific NFT. If you provide proof, you get access to whatever is behind the NFT gate (merch drop, exclusive content). With NFTs, proving ownership is as simple as connecting your wallet and signing a message. This is a harmless, gasless transaction that verifies you own the wallet and the contents inside.
For the March @boredapeyc merch drop, you needed to connect your wallet containing your BAYC/MAYC and sign a message to get access to buy But this is where the hackers strike. They set up a replica merch store with a different URL - the site that got @cameronmoulene's ape was boredapeyaRhtclub dot com (R instead of a C in yacht). But instead of signing a message to verify account ownership, you're signing a transaction (which costs gas).
This transaction is called "set approval for all," and it costs gas. This is the same transaction that we pay for on Opensea when listing an NFT for the first time.
This permission happens at the smart contract level and lets the approved party move your NFT associated with that specific contract. In Opensea's case, this permission is needed to move your item when your item sells.
Hackers will try and trick you into accepting a "set approval for all" transaction so that their smart contract can extract your NFT from your wallet. You can see that transaction here in the victim's wallet. Minutes later, the ape was gone.
Protecting your NFTs from phishing scams
This leads us to the first takeaway: when you're verifying ownership of your NFT on a website, you should ~NEVER~ be paying gas. This will always be a gasless signature like the following. Anything more is a scam. Run.
This ape was stolen with a phishing website, coupled with tricking the owner into approving their NFT around the FOMO and hype of the BAYC merch drop in March This leads us to the second takeaway...
Takeaway #2: your vigilance for security needs to be the highest around key events that require verifying ownership. This is when hackers are most likely going to strike, when you're most susceptible and when FOMO and emotions are high. This is why we've been inundated with verified Twitter accounts with Moonbird avatars for the last week. Or why previous to that, we were getting tagged in fake apecoin profiles on Twitter. For hackers, timing is everything.
So, I laid out one of the most common ways you can have your valuable NFTs stolen - phishing But what if there was a way to prevent these sorts of attacks? And what if our wallets had security features to protect against these threats? What would that look like?
How better design in wallets can keep our NFTs safe - a proposal on “NFT locking”
We’ve established that a common attack vector for hackers is to create phishing websites and launch them around events that require you to verify ownership of your NFT (think, NFT gated merch sale). Their goal is to get you to connect your wallet and trick you into signing a "set approval for" transaction (which costs gas), vs what real websites ask you to do - sign a gasless message.
This has tricked countless people and millions of dollars worth of JPEGs have been stolen. But what if there was a way to prevent you from accidentally signing over permission to these hackers? What if our wallets had security features built-in, that protected us?
I have some thoughts on how @coinbase_wallet @MetaMask @rainbowdotme can address this but, let's be clear - nobody knew that ERC-721 tokens would be worth as much as they are today - so much so that metamask still doesn't have an interface to view NFTs They need to catch up, and here's how they can catch up in a big way.
NFT locking
The idea is simple: let users "lock" specific NFTs When NFTs are "locked", your wallet prevents you from accepting new permissions for that specific NFT Specifically, the "set approval for all" permission that hackers are always targeting.
Here's how this helps: When bad actors are trying to phish you and get your NFT, they need you to the "set approval for all" permission for your NFT This gives their smart contract permission to swoop in and take your NFT.
But if you have your NFT "locked", then your wallet will automatically reject any new transactions asking for that permission.
Remember, when you're verifying ownership to access merch drops, websites never ask you to pay for a transaction, only to sign a message, a locked NFT would still allow you to verify while stopping the bad actors at the same time. At the technical level, there's actually nothing special happening. Your NFT isn't really "locked" to your wallet on the blockchain. This is just a wallet-level security layer that prevents new permissions on locked NFTs. If you're trying to sell an NFT on Opensea and need to set that permission, you can go ahead and unlock it (via password). Because we trust Opensea, we are comfortable giving them that permission - they need it to move your NFT when it sells.
Better design is crucial to help the NFT space mature
Almost every scam in NFT spaces relies on tricking the user, and most of them use phishing websites to target that one specific permission on your NFT. With NFT locking, our wallets are actively protecting us in moments when our assets can be most vulnerable. It's clear that as this space grows and matures, we need better design decisions to address the challenges that come with a self-custody, ownership-focused world. This could be a step in the right direction - something sorely needed for NFTs and users. I would love to hear everyone's feedback and comments on this proposal - share them below and if you think this is worth the attention of @MetaMask @CoinbaseWallet, @rainbowdotme, tag them on Twitter with this article! If this is a good solution, then with enough attention, we can get crypto wallets to pay attention and make these changes. At worst, they can at least think of their own solutions. If security is important to you, share this with your circle. Let’s help build a better web3 world.
This article first appeared originally as Twitter threads. Check them out below and follow me there for more writing
