New NFT wallet-draining exploit-degen meta

Published in

Coinmonks

4 min readJul 12, 2022

0x01 what is degen

Minting wallet — this is the wallet you use to mint NFTs, perform peer-to-peer swaps, or interact with any web3 applications that one might consider “degen”.

A new NFT attack has cost some users money, with attackers creating the FOMO bait-free “degen” mint program to trick you into granting them permission to transfer your NFT out of your wallet. The attackers used social engineering methods and “degen meta” to gain access to users’ NFTs.

0x02 Basic knowledge

Usually, they start by using legitimate services like PREMINT makes it incredibly easy to collect a ton of wallet addresses to use for a presale, access list, giveaway, and more. Premint does not do any vetting on all projects that use their service, however, many people don’t know this and think these raffles are “endorsed by premint”

To make things worse, there is a feature that allows raffle creators to put certain requirements like “must hold a Moonbirds NFT” in order to enter This can be done without the consent of the project owner, so fake raffles can be made that seem to have been endorsed by them

So now when it comes to minting the “allowlist sale” you are minting with your wallet that probably still holds the high-value NFT that was required to participate in the raffle in the first place. This is where your NFTs get stolen

0x03 attack process

Bluffing the free degen mint project, using legitimate tools such as PREMINT to gain high-value wallet participation.

2. Create a website with malicious JavaScript that analyses your wallet to find your highest value NFT

3. Fake mint button instead of actually generating mint transactions, creating a malicious button that allows scammers to transfer your NFTs.

4. Repeat steps 1–3 using the same code but under a different ‘project’.

New to trading? Try crypto trading bots or copy trading

0x04 More details

Deployment of malicious websites

Firstly, you can notice that they blatantly copy and pasted a ton of code from goblintownwrf ‘s website, it's already shown as a reg flag.

Secondly if you look at the JavaScript on the page, there is a file called signupxx44777.js This is where the exploit lies

Once you connect your wallet, this code is now actively processing in your browser. Literally, code that says “drain NFTs” in it.

0x05 What it does is:

Scan through your addresses’s contents
Use opensea‘s API to determine your most expensive NFT
Identifies your most expensive NFT and finds the smart contract info for it
Once you hit “mint”, it generates a transaction that interacts with the contract of your most expensive NFT.

This tx grants the scammers access to transfer out your NFT. This is called the setApprovalForAll tx

note:Here’s what it looks like when you’re asked to setApprovalForAll on Metamask. If you ever see this function in your Metamask popup, TRIPLE CHECK that you actually want to do this. If you’re not interacting with a trusted marketplace then you almost certainly don’t want to do this

if you want to know more So how do you avoid giving approval to malicious actors? please check previous article

https://medium.com/coinmonks/did-you-set-approval-for-all-be848dff6be5

So while you think you just executed a typical free mint transaction, instead, you actually granted permission for your super expensive NFT to be transferred out of your wallet by a scammer. sadly

0x06 To summarize, the exploit works as follows:

Create hype around a free degen mint project, use legit tools like PREMINT to get high-value wallets to participate
Create a website with malicious JavaScript that analyzes your wallet to your highest value NFTs
Fake mint button that rather then actually generating a mint transaction, creates a malicious one that grants access for a scammer to transfer out your NFT
Repeat steps 1–3 with the same code but under a different “project”

In the end, If you think you’ve been impacted by one of these scams, make sure to revoke access to all of your high-value NFTs through https://revoke.cash or transfer them out ASAP to a hardware wallet.

ref:https://twitter.com/Montana_Wong/status/1545081928017031168