Published in


Something you need to know to avoid getting scammed

99% of users don’t understand the behind-the-scenes when interacting with Ethereum, and that leaves them vulnerable to attack. This is the master thread for newcomers alike, so this article is made for you -something you need to know to avoid getting scammed and minimize damage when you let's dive into more details.

A wallet is a common term for something that holds your private keys, typically backed up with a seed phrase. It’s important to note that your wallet doesn’t actually store any crypto, the blockchain does. Your private keys allow you to prove ownership of an address.

A seed phrase is a set of words that represent a collection of private keys. If compromised, *all* addresses derived from that seed phrase are irrevocably compromised as well. Keep this safe and offline.

Your private key is used to sign transactions of all types. If compromised, the attacker has complete, irrevocable control over that address. All other addresses are still safe, even if derived from the same seed phrase.

Hardware wallets keep your private keys safe from compromise by storing them in a secure element that is never exposed to the internet.Transactions are created in metamask (or your wallet of choice) and handed over to the hardware device where you must physically sign them. Then the transaction, now signed with a private key, is submitted back to the network.

A signature is a message that is signed with your private key. There are several types, each with different implications.

To make any changes to the blockchain, you must submit your signature alongside a gas payment. This is necessary for any transfers, approvals, claims etc. These will ALWAYS cost gas.

These do *not* make any state changes, so are harmless except for cases where they utilize existing approvals. e.g. tricking you into submitting a valid OpenSea listing signature, which would look like this. If it’s plain english, then it is safe to sign.

This is a very dangerous signature type, basically the “blank check” of ethereum. The requester can use it sign any transaction with your private key. The good news is that metamask shows a big red warning if it is is ever requested.

Nobody else can spend your ETH. You *must* send it. There are no approvals for ETH like there are for NFTs or tokens. WETH exists for this very reason, and serves to enable ETH to behave like an ERC20. This will be important later.

New to trading? Try crypto trading bots or copy trading

All NFTs are just a mapping of tokenIDs to addresses. When thinking about ownership, it’s helpful to know that *only the asset contract can change that mapping*. Let’s take a look at how that mapping is changed

This is the ERC721 implementation of `_transfer`. All 721s inherit this, any transfer calls eventually drill down to this function. At a basic level it does 3 things: — Clears approvals from the previous owner Updates the balancesUpdates mapping for tokenID

This is also pulled from the ERC721 standard. It adds a check to ensure that msg.sender is either approved or the token holder. Most 721s implement this as the ONLY way to change a token’s ownership.

A malicious contract can’t steal your ape. If you mint from a contract and it in turn calls `transferFrom` on the bored ape contract, msg.sender becomes the malicious contract. It would fail as it is not the owner (you are), and it is not approved.

See below screenshots about `mint`, `transferFrom`, and `isApprovedForAll`.

A MALICIOUS SITE REQUESTS APPROVAL Malicious contracts can’t steal NFTs, but malicious websites can call `bayc.setApprovalForAll` instead of `degenMint.publicMint`. If you’re asked to set approval and you’re not expecting to, it’s a scam.

Scammers set up a trade, but request to use a new site. Once you setApproval, it steals your NFTs. Bookmark Opensea, Looksrare, x2y2, nfttrader, and sudoswap. You should never need any others.

Scammers will claim there is a new exploit, and direct you to revoke approvals ASAP. They link a fake site for revoking approvals, which instead approves their address to steal your NFTs. Bookmark

This can happen from any of the same sources as the approval. It’s slightly less severe because there’s no residual damage. No approvals are set, and no private key is exposed. Double-check your transactions before signing.

The goal here is to extract your private key. Use a hardware wallet. Don’t open unknown files or bookmark unknown websites. If something gets downloaded that you weren’t expecting, delete it.


Check etherscan. Did your address initiate the transfer? The FIRST image shows a transfer initiated by the token holder, and the SECOND image shows a transfer initiated by the attacker. It’s important to know the implications.

If the attacker is moving assets through approvals. Revoke those at

it’s important to know that is a fantastic tool for projects, but they are NOT a stamp of approval. Any project can set up a premint page, regardless of whether or not they’re a rug, scam, or some other bamboozle.

Note that revoking approvals calls the same function as setting them: `setApprovalForAll`. The function requires an operator (the address that you’re giving permission to), and a boolean (true or false). When granting approvals, this boolean is true. When removing them, false.

There are two possibilities. Either you were tricked into doing it, or somebody has your private key. If it’s the former, no further action is needed. If it’s the latter,hang in there I will mention it later.

Transfer anything and everything that you can out of your address, and then never use it again. Usually, if your Private Key is leaked, there will be a sweeper attached to the address. Don’t send anything in, it will be immediately be extracted.

Buy a hardware wallet. Private key leaks are the single most devastating attack you can suffer (aside from having your seed phrase stolen), and hardware wallets protect from it. Get one, and store your seed phrase offline and in a safe place.

Finally here is cliché advice we mentions frequently :)

- Don’t click links

— Turn off your DMs

— Assume everybody is out to scam you and most importantly…


Stay tuned for the extension parts for some points



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.