0x01 preview
Recently I’ve been seeing some NFT scams going crazy lately, so you might ask how NFTs are stolen from your wallet and what you can do to avoid signing malicious transactions unknowingly, and what exactly is SET APPROVAL FOR ALL?
0x02 Opensea approval
Approval someone to have the right to transfer the NFT in your collection, so as long as you approve, the approval person can move in and carry out your refrigerator and TV at will as if you have the key to your door. When Opensea makes a pending order, it is equivalent to approval Opensea to transfer your NFT to others. When someone buys it, Opensea will transfer your NFT to him, and then transfer his money to you. although, Opensea is a formal platform if you are hooked by a phishing site,you will cry in your bed.
0x03 EIP-721
NFTs by default can only be transferred by their owners. However, there are two methods in the EIP-721 (NFT) standard that allow someone else to transfer your token(s): approve() and setApprovalForAll().
- Every ERC-721 compliant contract must implement the
ERC721andERC165interfaces - A wallet/broker/auction application MUST implement the wallet interface if it will accept safe transfers.
- The metadata extension is OPTIONAL for ERC-721 smart contracts . This allows your smart contract to be interrogated for its name and for details about the assets which your NFTs represent.
- The enumeration extension is OPTIONAL for ERC-721 smart contracts . This allows your contract to publish its full list of NFTs and make them discoverable.
0x04 Free mint
When we encounter to click the free mint button on the website, it can be seen that the wallet pops up a transaction request, and the transaction method is set approval for all. At this time, if you click OK, it means that your NFT can be transferred by others, so we will free mint The button is bound to a trigger event called setApprovalForAll.
The approve() function grants a third party the ability to transfer a single token id. setApprovalForAll() will grant a third party the ability to transfer all of the tokens you own for a given collection.
Marketplaces such as Opensea will use the transaction to approve the sale of any of your NFTs. This is ok when you’re dealing with a trusted site, but very dangerous when you give approval to a malicious site.(like phishing website)
New to trading? Try crypto trading bots or copy trading
If you grant approval to an undesirable third party, they have the ability to transfer out any of the NFTs you own belonging to the collection you gave approval for. They will find the most expensive NFTs you own and trick you into granting approval for that collection.
0x05 So how do you avoid giving approval to a malicious website?
- Do not fall for the hacked-discord-twitter-mint scam. Anytime a discord/twitter is hacked, the hackers will post some sort of link to mint from. If the account belongs to a prominent project (Nouns, BAYC, etc), then it’s very very unlikely they would do a stealth drop.
- If you are minting an NFT, try to mint directly from the contract. This is especially true for free mints where you know very little about the project team. try to mint from websites for reputable projects that have teams that are shown to be legit.
- Sometimes you have to mint from the website (due to a required signature). In these cases, make sure you are not signing a txn that calls setApprovalForAll or approve. There is almost no scenario in which an approval should be needed for a mint. Also, USE A BURNER WALLET.
- If you accidentally gave an approval you shouldn’t have, you’re probably out of luck. In the off-chance your NFTs haven’t been stolen, you can use revoke.cash to clear approvals. If you see an approval for a non-marketplace like below, you should click revoke.
Summary: approvals should almost always be limited to marketplaces. Don’t mint from suspicious websites, but if you do, make sure setApprovalForAll is not being called. but I’ll keep posting as long as scams happen. I have seen a lot of scam cases with setApprovalForAll
ref: https://twitter.com/cygaar_dev/status/1541832743448887296
