NFT security

6 min readFeb 20, 2022

The security problems in the NFT area are increasing. There are more and more attacks that discredit the entire NFT world.

Since most of the information is spread across various Twitter accounts and tweets, I’ve summarized it here — including links to the original articles.

I’ll first give a short overview of the most important points and then a list with links to the sources I know.
If you
- know more sources
- are one of the authors and don’t want to be listed
- have further information and want it to be listed here,
please send me a dm on Twitter (@FamConnNFT).
If you have questions, suggestions or other points, also then please contact me directly on Twitter or comment on the Twitter tweet where I share this article.

Please share this article everywhere on Twitter, use it in your Discord server or whereever to prevent damages to people in our NFT space.

This is not set in stone, let the community continue to grow the article.

Brief overview of the most important points

Passwords

Don’t reuse your passwords and keep them safe (on paper or some people like to use a password manager in a cloud)
Change your passwords regularly
use two-factor authentication (2FA) where it is possible

Wallet

Never give your wallet seed phrase to anybody, it doesn’t matter who. Never save it online, always write it down and and put it somewhere where it is safe and cannot be destroyed. Don’t make pictures of it, don’t write it in a password manager
Unconnect from connected sites, f.e. on Metamask click on the three points on the right side of your account and open “Connected sites”
Use different accounts for different usages, DON’T use one account for all, f.e. do it with 3 wallet layers as PPMan describes it in his tweet.
Use a hardware wallet (f.e. from Ledger), buy only from the official site (no ebay, no google search result, only https://www.ledger.com/)

E-mail

Double or triple check when you are prompted for a transaction
Use several e-mails for several purposes
When you get an e-mail, then look on the sender mail (can the domain be correct, f.e. “support@open-sea-support.com” — I don’t think so). Here you can find it at gmail (“an mich” means “to me” — this domain is the official of OpenSea):

when you get an email, then mouseover the links (DON’T klick on them) and look where they refer to. Are they refering to a domain which looks official? Search for it. On this screenshot you can see how to (look on the domain, it’s the official from OpenSea):

Social engineering

Most likely passwords are stolen because you made a mistake. Either you don’t know your way around well enough or you fell for social engineering.
The NFT world is, of course, also about contacts and building communities. Without contacts, no sales. Scammers take advantage of that. They try to gain your trust to somehow get to you. Of course you should not distrust everyone and assume malicious intentions, but you should also not become reckless or be persuaded because of built trust (to a person you do not know in real life).
If someone writes me a dm with links included and the profile seems odd, I don’t click on the links.
But there are also cases where trust was built up over weeks, also by “infiltrating” a person into an existing project team. If someone writes me a dm with links included and the profile seems odd, I don’t click on the links.
But there are also cases where trust was built up over weeks, also by “infiltrating” a person into an existing project team.
So approach the matter with common sense. There are many different types of social engineering.

Discord

Deactivate direct messages! Deactivate direct messages! Deactivate direct messages!

Most projects tells you the same in their faq or whatever room. A project will never contact you with a dm, the only exception in my experience is the registration process (but not every project will do it like that).

Look on the sentence below the deactivation — the setting will not be applied for existing servers!
You are a founder, project manager, administrator or moderator? Then please make sure that each team member knows his area of responsibility, help each team member with questions (there are no stupid questions) and pay attention to the assignment of roles and rights. Check the webhooks — don’t forget.
You’re project got scammed? Get a professional company to review your Discord server (no one you don’t know or which is writing you in Discord or on Twitter, using a company is more safe), double check everything they did (why not — it’s your project) and always inform immediately all your followers on all channels to avoid more damage to them. Be transparency. If it’s possible, then pay them their lost money back. After the mint of your project it should be possible.
Look closely at known Discord bots to see if they are verified. If not, do not use them. They can redirect you to fake pages to steal from you.

Pay attention to where Discord links take you. Is it really the destination you expected?

Minting

If you want to mint, only use the official sites. You’ll find them in discord, on twitter (most have a linktree), perhaps in other social media channels like Reddit, TikTok or LinkedIn. Please double-check if you are on the correct site, compare the domain part of the URL with the official URLs (f.e. example.com is official, so mint.example.com is ok but mint-example.com not. Mint.example.com is a subdomain of example.com, but mint-example.com is a totally other domain). If it’s not the same, then it’s a scam!
Disconnect after minting.
Use your wallet strategy (3 layers) for secure your minted NFTs.

How to see if a project is a scam

There are different points how to see if a project is a scam. Please look on the links below.

Twitter

Yes, even on twitter you can get scammed. There are a lot of scams of big profiles, I saw it several times. They contact you with a dm and the name of the profile differs a little bit from the origin. Always have a look on the name and look into that profile. If the number of followers is too low, then it is a scam.