New NFT wallet-draining exploit-degen meta
0x01 what is degen
Minting wallet — this is the wallet you use to mint NFTs, perform peer-to-peer swaps, or interact with any web3 applications that one might consider “degen”.
A new NFT attack has cost some users money, with attackers creating the FOMO bait-free “degen” mint program to trick you into granting them permission to transfer your NFT out of your wallet. The attackers used social engineering methods and “degen meta” to gain access to users’ NFTs.
0x02 Basic knowledge
Usually, they start by using legitimate services like PREMINT makes it incredibly easy to collect a ton of wallet addresses to use for a presale, access list, giveaway, and more. Premint does not do any vetting on all projects that use their service, however, many people don’t know this and think these raffles are “endorsed by premint”
To make things worse, there is a feature that allows raffle creators to put certain requirements like “must hold a Moonbirds NFT” in order to enter This can be done without the consent of the project owner, so fake raffles can be made that seem to have been endorsed by them
So now when it comes to minting the “allowlist sale” you are minting with your wallet that probably still holds the high-value NFT that was required to participate in the raffle in the first place. This is where your NFTs get stolen
0x03 attack process
- Bluffing the free degen mint project, using legitimate tools such as PREMINT to gain high-value wallet participation.
3. Fake mint button instead of actually generating mint transactions, creating a malicious button that allows scammers to transfer your NFTs.
4. Repeat steps 1–3 using the same code but under a different ‘project’.
0x04 More details
Deployment of malicious websites
Firstly, you can notice that they blatantly copy and pasted a ton of code from goblintownwrf ‘s website, it's already shown as a reg flag.
Once you connect your wallet, this code is now actively processing in your browser. Literally, code that says “drain NFTs” in it.
0x05 What it does is:
- Scan through your addresses’s contents
- Use opensea‘s API to determine your most expensive NFT
- Identifies your most expensive NFT and finds the smart contract info for it
- Once you hit “mint”, it generates a transaction that interacts with the contract of your most expensive NFT.
This tx grants the scammers access to transfer out your NFT. This is called the setApprovalForAll tx
note:Here’s what it looks like when you’re asked to setApprovalForAll on Metamask. If you ever see this function in your Metamask popup, TRIPLE CHECK that you actually want to do this. If you’re not interacting with a trusted marketplace then you almost certainly don’t want to do this
if you want to know more So how do you avoid giving approval to malicious actors? please check previous article
So while you think you just executed a typical free mint transaction, instead, you actually granted permission for your super expensive NFT to be transferred out of your wallet by a scammer. sadly
0x06 To summarize, the exploit works as follows:
- Create hype around a free degen mint project, use legit tools like PREMINT to get high-value wallets to participate
- Fake mint button that rather then actually generating a mint transaction, creates a malicious one that grants access for a scammer to transfer out your NFT
- Repeat steps 1–3 with the same code but under a different “project”
In the end, If you think you’ve been impacted by one of these scams, make sure to revoke access to all of your high-value NFTs through https://revoke.cash or transfer them out ASAP to a hardware wallet.