How to avoid NFT Phishing Hacks — Bored Ape Yacht

Introduction

On April 25, 2022 Bored Ape Yacht Club’s official Instagram account was hacked. A hacker stole 91 NFTs from users who connected their wallet to receive the fake airdrop.

Method 1 — Using Approve Directly

Approve

In the token interface and NFT interface there’s an Approve function. This function gives an allowance to another wallet to spend / use your NFT. After you give an approval, the address you approved to can transfer the NFT you owned on your behalf.

The Attack

Usually in this method the phishing site ask you to give permission to access your NFT to the attacker wallet.

Detection on Metamask

The Attack

The method most of the phishing website use is quite basic.

Method #2 — Using SafeTransferFrom Directly

safeTransfeFrom / safeTransfer

safeTransferFrom function simply transfer the NFT to the attacker wallet.

The Attack

Usually in this method the phishing site ask you to safeTransferFrom or safeTransfer the NFT to the attacker.

Detection on Metamask

Summary

You should always make sure you understand the consequences and the side effects of the operation before confirming the transaction on metamask. Another way is to check the contract you are interacting with, in most cases the contract you are interacting with won’t be verified.

About Solid Group

Solid Group is a blockchain consulting and auditing service provider founded by cybersecurity experts with a great passion for the cryptocurrency world. We are known for our exceptional out of the box thinking, experience, and our credibility among the community. Throughout our work, our team was able to discover many high severity issues & vulnerabilities. We work with leading companies in the field, helping them increase their resilience through tailored services and solutions.

  • sniper bot protection tool
  • Smart contract auditing service

--

--

We are a group 3 software developers with combined experience of over 15years in various fields such as Software design, Operating systems, and solidity.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Solidgroup

We are a group 3 software developers with combined experience of over 15years in various fields such as Software design, Operating systems, and solidity.