NFT Heists: Are the recent attacks the first of many to come?
- on Aug 12, 2022
NFT heists are making headlines. Here’s how you can protect yourself, says Indre Viltrakyteco-founder of the The rebels.
Phishing attacks are nothing new. Sometimes they are easy to spot. Like when prompts come with a request to send your banking information to a prince in a distant foreign country. But sometimes they are harder to spot. Like when a request to approve the release of your assets comes from a seemingly trustworthy source.
This is what happened recently in an NFT phishing theft case. Users trusted a scheme that involved the Premint platform. Users agreed to be asked to trust an unknown entity to control their assets.
On July 17, 2022, a popular NFT platform, Premint NFT, was hacked. 314 NFTs worth $430,000 were stolen. The authors were able to implant malicious code on the official Premint website. The code instructed users to “set approvals for all” when connecting their digital wallets to the site. This allowed attackers to access their crypto assets and steal their NFTs.
The new world of NFTs – digital art collecting – could be subject to more phishing attacks.
NFT Heists: What’s Stolen?
Typically, when we hear the word NFT, we think of a unique, blockchain-connected digital image. However, it is more elaborate than that. When talking about NFT, ownership tracking and uniqueness are always emphasized. But nowhere in the NFT standard is it stated what unique tokens represent. In essence, tokens are just unique numbers. It is the authors of the NFT collection who define what these tokens represent.
Also, images are usually never “uploaded to the crypto wallet”. They are not part of the NFT contract. A hash of the image can be written into the contract to create a connection to the thing the NFT represents. Also, NFT as a standard does not concern itself with the value or the buying and selling operations of NFTs. It only provides standard methods to transfer NFT ownership. It is the marketplaces and the community that build on this and treat NFTs as commodities.
As commodities, NFTs are mostly purchased as collectibles, often used for investment purposes. They have only recently developed practical use cases. An example is digital fashion clothes in the Metaverse.
What can we do in the future?
Who is to blame? Is it the user? Or the platform, which allowed an attacker to initiate a fraudulent transaction?
In this particular case, the attackers were able to display content to trick the user into signing the fraudulent transaction.
A vague and plausible reason for the transaction, coupled with trust in the website, was enough to fool many. That said, it’s unreasonable to expect the average Web3 user to be able to get around it. Most didn’t have a strong enough technical background to notice that the transaction was actually giving someone access to their NFTs.
It is possible to trick users into signing transactions if they are initiated by a trusted website. Assets in user wallets are only as safe as ALL decentralized applications (dapps) the user interacts with together. Identical cases are likely to occur in the future.
Ways to improve security:
1. Wallets could display more human information for known contract interaction types. For example, a huge red message saying, “Hey, you’re giving control of all your NFTs to someone!” This would be much better than the current all caps “SET APPROVAL FOR ALL” in gray in MetaMask’s transaction confirmation window.
2. Websites could list and publish contractual interactions they might initiate. Providers like MetaMask could refuse any non-standard transaction.
NFT Heists: How can users protect themselves?
– Check the transaction details before signing. This will not protect the user 100% of the time. But reviewing which method on which contract is crucial.
– Separate NFTs (and other crypto assets) into multiple wallets. If users are tricked into giving someone control of their assets in one wallet, at least the assets in other wallets are safe. That’s as long as you don’t share your private key or the seed phrase.
– Use different wallets for different dapps. It’s not always practical to do this when the dapp is supposed to interact with other assets in the wallet. However, it is important to try to keep only what is relevant.
About the Author
Indre Viltrakyte is the co-founder of fashion company Web3 The rebels. It contains 10101 unique characters based on the controversial “Jesus, Maria” advertising campaign. The campaign was banned but later found justice in the European Court of Human Rights, which ruled in favor of the brand. The case is now considered a precedent in cases related to freedom of expression in the EU. Indrė Viltrakytė has more than 10 years of experience in the fashion industry.
Got something to say about NFT burglaries or something else? Write to us or join the discussion in our Telegram channel. You can also find us on tik tok, FacebookWhere Twitter.
All information contained on our website is published in good faith and for general information purposes only. Any action the reader takes on the information found on our website is strictly at their own risk.