Thread
🧵Exploring the latest NFT scam 🧵
"I got an NFT airdrop from an unknown collection into my wallet with a 1 WETH offer. What's going on? Is it safe to accept?"
"I got an NFT airdrop from an unknown collection into my wallet with a 1 WETH offer. What's going on? Is it safe to accept?"
tl;dr - these are scams and you will not profit from interacting with them.
But let's understand how they work!
But let's understand how they work!
The way that OpenSea works is through "approvals" to transfer your NFTs or your WETH. An approval is a special smart contract function you call directly on the token contract
It says, "token contract, please give this marketplace contract permission to spend my money or jpegs"
It says, "token contract, please give this marketplace contract permission to spend my money or jpegs"
This is dangerous! But only in one direction. If the marketplace is malicious, it can steal your money/jpegs. But if the money/jpegs are malicious, they *cannot* steal your marketplace.
A poorly designed marketplace might have a vulnerability that lets one approved collection steal another approved collection. This is why it's critical to only use robust, well-tested sites.
Exploit example from old Wyvern contracts used by OS
Exploit example from old Wyvern contracts used by OS
So you can only approve an external contract to spend your money/jpegs by making a call to the money/jpegs contract
Not by making a call to the external contract
Not by making a call to the external contract
This is why it is theoretically "safe" to interact with a malicious contract, as long as your transactions are going directly to the malicious contract and you're not sending any raw ETH to payable functions*
* don't try this at home
* don't try this at home
The danger, of course, happens when people think they are interacting with an external contract but are actually interacting with their money/jpegs contract.
A website might say, "click here to animate your ape" but the wallet transaction will say "SET APPROVAL FOR ALL"
A website might say, "click here to animate your ape" but the wallet transaction will say "SET APPROVAL FOR ALL"
This is where people sign away their life savings in an emotional state that's some combo of drunken/high/sleepy/fomo.
So, what's the gameplan with these fake NFT offers if hackers can't get control of your wallet or assets?
There are several plans of attack used by malicious actors
There are several plans of attack used by malicious actors
1) When you approve the OS marketplace contract to spend your NFT and then try to accept the offer, the offer acceptance reverts. The error message contains a URL, and if you go to that site it tries to make you sign a malicious transaction
2) The NFT is a proxy contract that can be swapped out for different implementation logic later.
Here is an address that receives dust from 260 separate addresses that each created one proxy contract pretending to be a unique collection.
etherscan.io/address/0x2d1a138f2cb7962d5a270d0c07ea9ea4b59348a5
Here is an address that receives dust from 260 separate addresses that each created one proxy contract pretending to be a unique collection.
etherscan.io/address/0x2d1a138f2cb7962d5a270d0c07ea9ea4b59348a5
These bad actors have a low hit rate, so for gas optimization they will use a single implementation contract with the heavy NFT code logic and deploy many lightweight proxies which appear to be independent collections.
More on the proxy pattern here 0xfoobar.substack.com/p/smart-contract-upgradeability?s=w
More on the proxy pattern here 0xfoobar.substack.com/p/smart-contract-upgradeability?s=w
Some believe that the recent NFT proxy deployer has developed secret functionality that lets him steal all your NFTs if you call approve on the proxy.
For reasons outlined above, this seems completely false.
For reasons outlined above, this seems completely false.
Gas optimization is the most likely hypothesis for proxy usage.
The OpenSea frontend is rather locked down in terms of what it functions it calls on a collection, so most fake WETH offers are simply a lure to take you to a phishing site.
The OpenSea frontend is rather locked down in terms of what it functions it calls on a collection, so most fake WETH offers are simply a lure to take you to a phishing site.
TL;DR - fake WETH offers will let you approve the collection for sale, but revert when you try to accept the offer. This is both a waste of gas, and then revert messages on Etherscan lure you to phishing sites.
Stay safe out there!
Stay safe out there!
There is one rare active vulnerability noticed by @0xQuit. If you hold $RUNE in your wallet it can be stolen with a mere approval function.
Shocking that @THORChain hasn't been patched yet, the vulnerability has been widely known for 9 months now.
Shocking that @THORChain hasn't been patched yet, the vulnerability has been widely known for 9 months now.
@0xQuit @THORChain Here's a tx link from two days ago where a user approved the fake "Lucky Unicorns" NFT collection but lost all their RUNE in the process.
ethtx.info/mainnet/0x68d89a92a7e8cf388aa491544c79c6f0afb1de6735dbbf8b1dff2828cd1e6f77/
ethtx.info/mainnet/0x68d89a92a7e8cf388aa491544c79c6f0afb1de6735dbbf8b1dff2828cd1e6f77/
@0xQuit @THORChain This happens because the RUNE contracts check tx.origin rather than msg.sender when looking at approvals. So any smart contract you interact with can forward along calls and pretend they are you. Extremely basic failure case. Don't use Thorchain, you'll get rekt.
Mentions
See All
riddles.eth @ethernaz
·
Jun 11, 2022
goat thread. I respect great threads