Jul 21, 2022
Something you need to know to avoid getting scammed
0x01 warm-up
99% of users don’t understand the behind-the-scenes when interacting with Ethereum, and that leaves them vulnerable to attack. This is the master thread for newcomers alike, so this article is made for you -something you need to know to avoid getting scammed and minimize damage when you do.so let's dive into more details.
0x02 More details
wallet
A wallet is a common term for something that holds your private keys, typically backed up with a seed phrase. It’s important to note that your wallet doesn’t actually store any crypto, the blockchain does. Your private keys allow you to prove ownership of an address.
SEED PHRASE
A seed phrase is a set of words that represent a collection of private keys. If compromised, *all* addresses derived from that seed phrase are irrevocably compromised as well. Keep this safe and offline.
PRIVATE KEY
Your private key is used to sign transactions of all types. If compromised, the attacker has complete, irrevocable control over that address. All other addresses are still safe, even if derived from the same seed phrase.
HARDWARE WALLET
Hardware wallets keep your private keys safe from compromise by storing them in a secure element that is never exposed to the internet.Transactions are created in metamask (or your wallet of choice) and handed over to the hardware device where you must physically sign them. Then the transaction, now signed with a private key, is submitted back to the network.
SIGNATURES
A signature is a message that is signed with your private key. There are several types, each with different implications.
To make any changes to the blockchain, you must submit your signature alongside a gas payment. This is necessary for any transfers, approvals, claims etc. These will ALWAYS cost gas.
GASLESS SIGNATURES
These do *not* make any state changes, so are harmless except for cases where they utilize existing approvals. e.g. tricking you into submitting a valid OpenSea listing signature, which would look like this. If it’s plain english, then it is safe to sign.
ETH_SIGN
This is a very dangerous signature type, basically the “blank check” of ethereum. The requester can use it sign any transaction with your private key. The good news is that metamask shows a big red warning if it is is ever requested.
ETH TRANSFERS
Nobody else can spend your ETH. You *must* send it. There are no approvals for ETH like there are for NFTs or tokens. WETH exists for this very reason, and serves to enable ETH to behave like an ERC20. This will be important later.
New to trading? Try crypto trading bots or copy trading
ERC721/1155 OWNERSHIP
All NFTs are just a mapping of tokenIDs to addresses. When thinking about ownership, it’s helpful to know that *only the asset contract can change that mapping*. Let’s take a look at how that mapping is changed
`_transfer`
This is the ERC721 implementation of `_transfer`. All 721s inherit this, any transfer calls eventually drill down to this function. At a basic level it does 3 things: — Clears approvals from the previous owner — Updates the balances — Updates mapping for tokenID
`_transferFrom`
This is also pulled from the ERC721 standard. It adds a check to ensure that msg.sender is either approved or the token holder. Most 721s implement this as the ONLY way to change a token’s ownership.
A malicious contract can’t steal your ape. If you mint from a contract and it in turn calls `transferFrom` on the bored ape contract, msg.sender becomes the malicious contract. It would fail as it is not the owner (you are), and it is not approved.
See below screenshots about `mint`, `transferFrom`, and `isApprovedForAll`.
A MALICIOUS SITE REQUESTS APPROVAL Malicious contracts can’t steal NFTs, but malicious websites can call `bayc.setApprovalForAll` instead of `degenMint.publicMint`. If you’re asked to set approval and you’re not expecting to, it’s a scam.
FAKE P2P TRADING SITES
Scammers set up a trade, but request to use a new site. Once you setApproval, it steals your NFTs. Bookmark Opensea, Looksrare, x2y2, nfttrader, and sudoswap. You should never need any others.
FAKE REVOKE SITES
Scammers will claim there is a new exploit, and direct you to revoke approvals ASAP. They link a fake site for revoking approvals, which instead approves their address to steal your NFTs. Bookmark http://revoke.cash.
A MALICIOUS SITE REQUESTS AN ETH/NFT TRANSFER
This can happen from any of the same sources as the approval. It’s slightly less severe because there’s no residual damage. No approvals are set, and no private key is exposed. Double-check your transactions before signing.
A MALICIOUS SITE DOWNLOADS MALWARE TO YOUR DEVICE
The goal here is to extract your private key. Use a hardware wallet. Don’t open unknown files or bookmark unknown websites. If something gets downloaded that you weren’t expecting, delete it.
IF YOU’VE BEEN COMPROMISED, WHAT NOW?
- LOST NFTS
Check etherscan. Did your address initiate the transfer? The FIRST image shows a transfer initiated by the token holder, and the SECOND image shows a transfer initiated by the attacker. It’s important to know the implications.
TRANSFERS INITIATED BY ATTACKER’S ADDRESS
If the attacker is moving assets through approvals. Revoke those at http://revoke.cash
it’s important to know that http://premint.xyz is a fantastic tool for projects, but they are NOT a stamp of approval. Any project can set up a premint page, regardless of whether or not they’re a rug, scam, or some other bamboozle.
Note that revoking approvals calls the same function as setting them: `setApprovalForAll`. The function requires an operator (the address that you’re giving permission to), and a boolean (true or false). When granting approvals, this boolean is true. When removing them, false.
TRANSFERS INITIATED BY YOUR ADDRESS
There are two possibilities. Either you were tricked into doing it, or somebody has your private key. If it’s the former, no further action is needed. If it’s the latter,hang in there I will mention it later.
AN ATTACKER HAS MY PRIVATE KEY
Transfer anything and everything that you can out of your address, and then never use it again. Usually, if your Private Key is leaked, there will be a sweeper attached to the address. Don’t send anything in, it will be immediately be extracted.
Buy a hardware wallet. Private key leaks are the single most devastating attack you can suffer (aside from having your seed phrase stolen), and hardware wallets protect from it. Get one, and store your seed phrase offline and in a safe place.
Cliché advice
Finally here is cliché advice we mentions frequently :)
- Don’t click links
— Turn off your DMs
— Assume everybody is out to scam you and most importantly…
— DON’T BE FIRST
Stay tuned for the extension parts for some points
