WEB3 ANTI-FRAUD SECURITY KNOWLEDGE — — NFT Phishing
0x01 Deploy contract + mint NFT
- 1 Platform
The contract is issued on the Rinkeby testnet
2.2 Main contract logic
The main contract code is as follows:
- The function constructor is used to define the name and identifier of the NFT;
- safeMint will mint 1 NFT for the target address, and automatically increment the tokenId, and use this ID in the next minting;
- _baseURI is a fixed link that prefixes all tokenURI；
- tokenURI is spliced by _baseURI + tokenId, the link stores MetaData；
- MetaData stores the token information required by NFT trading websites, such as NFT description, tag attributes, image address, etc.
In this example contract:
• Main contract name：MyNFT
• The issuing NFT is named Doge and the identifier is DG
• _baseURI ipfs://QmYjZ3Df23fqPyNXmMySEgKN5PkZa3f664G4uY1wuSfzSF/
- tokenURI is _baseURI + tokenID
Note: OpenSea will recognize the MetaData of the URI of the token held in the account
ipfs upload image and tokenId and MetaData association
Using the https://www.pinata.cloud website, you can upload images to the ipfs network for free.
After uploading all the pictures, create a new local folder to create an index file — a plain text file with a serial number of a natural number, and the content of the file is MetaData:
Note: The image link in MetaData is the image address just uploaded to the ipfs network.Then upload the folder to the ipfs network, and its address is the return value of the contract _baseURI function.
Two NFTs are minted with the account that deploys the contract, and the transaction hashes are:
we will see on Opensea
0x02 Phishing attack
Use web3 to call the setApprovalForAll function of the smart contract and display it as a Mint button on the front-end page.
The sample code chooses the Rust programming language, relies on the web3 library of crates.io, compiles it to WASM, and runs in the browser.
Next, use the Yew framework, connect the wallet when creating the page, and bind the click event of the Mint button to the phishing function.
You can refer to this document:
Build a sample app | Yew
To get started, create a new cargo project. Open the newly created directory. To verify the Rust environment is setup…
0x03 trunk serve — release
This builds the project locally and serves the web page.
Phishers posted phishing links to Telegram groups, Twitter, and other places, and claimed that the project party can currently mint for free.
If the user clicks the Confirm button without looking carefully at what the transaction has done, the authorization will be executed:
After the phisher executes the authorization, he must be able to see the words SetApprovalForAll in the Transaction of the contract and see the address authorized to the target account in the transaction details.
If the authorized target account is the hacker’s address, the corresponding From is the victim’s address. Track the victim’s address to get the token IDs of all NFTs under its name:
Transfer the victim’s NFT
Use the transfer function provided by the contract to transfer the specified NFT. The transaction link is as follows:
Accessing this page with another account will have a buy button: https://testnets.opensea.io/assets/rinkeby/0x8adf4a5029d409ef9610d647584b411b2bea0916/0