3 things to stay away from on mint / claim websites!
Hey there, here are 3 bullets you need to dodge when visiting mint / claim websites in web3. This will help you to stop getting your funds / assets stolen while minting NFTs.
Before we start with what to look out for, here’s the #1 rule you should follow when minting in web3.
Rule#1: Always use a burner wallet address!
This is such a simple rule, yet many people don’t follow it.
A burner wallet address is only created to be used while doing high risk stuff in web3. Mints, giveaways etc.
This address should only hold a minimum of funds and no NFTs etc. In this case, if something happens to your burner wallet addresses’ funds — it’s not the end of the world for you.
To set up an extra burner wallet address, you just click on the colored ball inside your MetaMask wallet and choose “Create account”.
Give that new (sub-)account a name — and click create.
This will set up an additional wallet address to your existing accounts.
You will always use this burner address from now on when connecting to mint websites.
Know: Connecting to a website is safe!
Just connecting your wallet to a website can’t do any harm to you and your holdings.
Make sure you choose your freshly created burner address when interacting with unknown websites. If you can, avoid visiting unkown websites at all — learn how to mint from a smart contract here.
As you can read below, connecting your wallet will give them the ability to see: Your address, your account balance, your activity and — suggest you transactions. Those suggestions will be used by bad actors — but they can’t force you to click something.
You’ve connected your wallet to the mint website.
If it’s a legit mint or claim, you should be expecting a mint or claim function to pop up in your MetaMask, that you will need to pay a gas fee for.
Now if all people in web3 had good intentions, and there was no danger out there, this Medium page wouldn’t exist.
If we ended on a website that is malicious, they will try to prevail you into signing one of these three options that will steal funds / assets from you.
Those three type of signature / transaction request should NOT be expected on a minting / claiming website.
Set Approval For All
Signing this will give whatever you’re approving full control over the assets of the collection you’re giving permission to.
Approvals given are per wallet address, collection, service (OpenSea, LooksRare etc.) and blockchain.
MetaMask gives you a pretty big red warning about the risk that comes with signing a Set Approval For All.
Note: Remember, this should NOT show up on a mint website. A Set Approval For All is mostly given to official Marketplaces to transfer your assets on your behalf if a sale happens.
ETH_SIGN
ETH_SIGN is a pretty ugly request and some people are debating, that this should be blocked by wallet providers like MetaMask, Frame.sh because the functionality is outdated.
The problem with ETH_SIGN? You can’t see what it will do. The signature data is encoded, which makes it impossible to read.
See the message starting with 0x879..?
Try to jump to conclusions on what this will do if signed. It could be anything. For example:
- Sending ETH
- Set Approval For All for your Doodles
- An OpenSea listing of your CoolCats and so on.
ETH_SIGN also comes along with a pretty big red warning.
The OpenSea listing signature exploit aka The Monkey Drainer
A lot has been said about this exploit, but it still needs to reach people, because this is the ugliest form of the three request types.
The so-called monkey drainer checks a wallet address for pre-approved collections on OpenSea, and then prompts the user with a listing signature request to the Seaport contract.
This has also been done to the Wyvern Exchange Contract (the old OpenSea protocol). If you still have open approvals to the old Opensea contract — please consider removing them.
The listing includes EVERY collection that is approved to OpenSea on the address. This also includes ERC20 tokens like ApeCoin, WETH or stablecoins like USDC if approved to Opensea. See where this goes?
If you’re operating with one single wallet address (SPOILER ALERT: this is bad practice and should be avoided at all costs!) and sell / trade your assets with the same wallet address, you might have many open approvals to OpenSea.
The attacker creates a listing signature request — that signs away EVERY approved collection to the Seaport contract in a private sale to them for 0 ETH. That’s why it’s the most dangerous signature request you could face.
If you see a request to the Seaport / Wyvern contract that is NOT coming from opensea.io as the origin URL, be SUPER cautious.
NOTE: THIS DOES NOT REQUIRE A GASFEE, AS THE ASSETS ARE PRE-APPROVED.
It DOES not come with any type of warning, since it COULD be a legit listing.
That’s it! If you follow these simple steps, you shouldn’t get drained while minting / claiming an NFT again.
If in doubt, always check back with your community members! Stay safe!
Original source (Twitter video + 🧵)
https://twitter.com/Wii_Mee/status/1550260489166503940
https://twitter.com/Wii_Mee/status/1543706775374991361
