The NFT hacker’s new technique introduces new functionality to the Blur market
A hacker known as “Pink Drainer” has discovered a method to enable private sales on Blur, a platform that does not normally offer this feature.
This revelation, which was first shared by Twitter user Quit, has the potential to significantly change the dynamics of the NFT market.
Blur, an NFT marketplace, traditionally does not offer private listings. Any user can fulfill any entry created on the platform. However, Pink Drainer has found a way to buy items for almost zero Ether (ETH) on Blur. This is achieved by making unique use of the royalty system.
Usually, if a scammer tricks a victim into making a Blur listing for the minimum amount of ETH, arbitrage bots will outperform them. These bots are willing to pay most of the value of the NFT in fees to block validators, thus securing the purchase for themselves. This situation is not ideal for phishing hackers like Pink Drainer.
To counter this, scammers have been known to phish signatures to list items above the minimum price, with their own address set as the royalty recipient with 100% royalty. However, Pink Drainer has taken this concept a step further.
Pink Drainer sets a royalty receiver with 100% royalty, but instead of setting the receiver to themselves, they set it to a contract. This contract applies to any transaction where Pink Drainer is not the originator.
As a result, even if the NFT is publicly listed for almost zero ETH, no one can fulfill it except the hacker. If someone else tries, the royalty payment reverses, causing the entire transaction to reverse. This effectively makes it a private listing on the Blur NFT market.
As explained by Quit, his technique could potentially be used by others to create legitimate private listings on Blur. It may even inspire the development of a front end that simplifies this process. Despite the illegal origins of this technique, it can contribute positively to the NFT space by introducing a new Blur feature that was previously unavailable.