Are recent attacks the first of many to come?

NFT raves hit the news. Here you can protect yourself, says Indrė Viltrakytė, co-founder of The Rebels.

Phishing attacks are not new. Sometimes they are easy to spot. Like when the prompts come with a request to send your bank details to a prince from a faraway foreign land. But sometimes they are harder to spot. Like when a request to approve the release of your assets comes from a seemingly trustworthy source.

This is what happened recently in an NFT phishing theft case. Users trusted a scheme involving the Premint platform. Users agreed to a message to authorize an unknown entity to control their assets.

On July 17, 2022, a popular NFT platform, Premint NFT, was hacked. 314 NFTs worth $430,000 were stolen. Perpetrators were able to plant malicious code on Premint’s official website. The code instructed users to “set approvals for all” when linking their digital wallets to the site. This allowed the attackers to access crypto assets and steal their NFTs.

The new world of NFTs – digital art collecting – could be in line for more phishing attacks.

NFT robbery: What is stolen?

Usually when we hear the word NFT, we think of a digital image that is unique and connected to the blockchain. However, it is more elaborate than that. When talking about NFTs, ownership tracking and uniqueness are always emphasized. But nowhere in the NFT standard does it say what the unique tokens represent. At their essence, the tokens are just unique numbers. It is the authors of the NFT collection who define what these symbols represent.

Furthermore, images are usually never “uploaded to the crypto wallet.” They are not part of the NFT contract. A hash of the image can be written into the contract to create a connection with the thing that the NFT represents. NFT by default also does not worry about the value or the buying and selling operations of the NFTs. It only provides standard methods to transfer the NFT ownership. It is the marketplaces and society that build on top of that and treat the NFTs as commodities.

As commodities, NFTs are mostly purchased as collectibles, often used for investment purposes. They have developed practical use cases only recently. An example is digital wearables in Metaverse.

NFT robbery

What can be done in the future?

Who is to blame? Is it the user? Or the platform that allowed an attacker to initiate a fraudulent transaction?

In this particular case, the attackers were able to display content to trick the user into signing the fraudulent transaction.

A vague, plausible-sounding reason for the transaction combined with trust in the website was enough to fool many. That said, it’s unreasonable to expect the average Web3 user to crack it. Most people did not have a strong enough technical background to notice that the transaction actually provided some access to his or her NFTs.

It is possible to trick users into signing transactions if initiated by a trusted website. The assets in users’ wallets are only as safe as ALL the decentralized applications (dapps) that the user interacts with together. Identical cases are likely to occur in the future.

The ways in which safety can be improved:

1. Wallets can display more human-oriented information for known contract interaction types. For example, a big red message saying, “Hey, you’re giving someone control over all your NFTs!” It would be much better than the current “SET APPROVAL FOR ALL” in gray in MetaMask’s transaction confirmation window.

2. Sites can list and publish the contract interactions they can initiate. Providers like MetaMask can refuse all non-standard transactions.

NFT Heist: How Users Can Protect Themselves

– Review the transaction details before signing. This will not protect the user 100% of the time. But reviewing which method on which contract is crucial.

– Separate NFTs (and other crypto assets) into multiple wallets. If users are tricked into giving some control over their assets in one wallet, at least the assets in other wallets are safe. This is as long as you don’t share your private key or seed phrase.

– Use different wallets for different dapps. It is not always practical to do so when dapp is intended to interact with other assets in the wallet. However, it is important to try to only keep what is relevant.

About the author

Indrė Viltrakytė is co-founder of the Web3 fashion venture The Rebels. It has 10101 unique characters based on the controversial “Jesus, Mary” ad campaign. The campaign was banned, but later found justice in the European Court of Human Rights, which ruled in favor of the brand. The case is now held as a precedent in cases related to freedom of expression in the EU. Indrė Viltrakytė has 10+ years of experience in the fashion industry.

Do you have something to say about NFT robbery or something else? Write to us or join the discussion in our Telegram channel. You can also catch us on Tik Tok, Facebook or Twitter.

Disclaimer

All information on our website is published in good faith and for general information purposes only. Any action the reader takes on the information contained on our website is strictly at their own risk.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *