How to avoid NFT Phishing Hacks — Bored Ape Yacht
On April 25, 2022 Bored Ape Yacht Club’s official Instagram account was hacked. A hacker stole 91 NFTs from users who connected their wallet to receive the fake airdrop.
A hacker has stolen 91 NFTs worth at least $2.8 million through a phishing attack targeting Bored Ape Yacht Club owners today. It was carried out through the official Bored Ape Instagram account.
In this article we are going to cover two attacking vectors typical for Phishing websites and how you can detect them (and hopefully avoid them)
Method 1 — Using Approve Directly
In the token interface and NFT interface there’s an Approve function. This function gives an allowance to another wallet to spend / use your NFT. After you give an approval, the address you approved to can transfer the NFT you owned on your behalf.
Usually in this method the phishing site ask you to give permission to access your NFT to the attacker wallet.
Detection on Metamask
The method most of the phishing website use is quite basic.
The attacker wallet: https://etherscan.io/address/0x8c7934611b6ad70fbea13a1593de167a4689b9a9
Phishing tx: https://etherscan.io/tx/0x2eb0526a58bfcc91b3e554d8f82bef12c9e70efc5414177d5fdbca095a8b3ef2
Method #2 — Using SafeTransferFrom Directly
safeTransfeFrom / safeTransfer
safeTransferFrom function simply transfer the NFT to the attacker wallet.
Usually in this method the phishing site ask you to safeTransferFrom or safeTransfer the NFT to the attacker.
Detection on Metamask
You should always make sure you understand the consequences and the side effects of the operation before confirming the transaction on metamask. Another way is to check the contract you are interacting with, in most cases the contract you are interacting with won’t be verified.
About Solid Group
Solid Group is a blockchain consulting and auditing service provider founded by cybersecurity experts with a great passion for the cryptocurrency world. We are known for our exceptional out of the box thinking, experience, and our credibility among the community. Throughout our work, our team was able to discover many high severity issues & vulnerabilities. We work with leading companies in the field, helping them increase their resilience through tailored services and solutions.
Solid Group provides ALL IN ONE ICO SOLUTION -
- audited token generator ( Generate your own token with NO CODING KNOWLEDGE)
- sniper bot protection tool
- Smart contract auditing service
🌍 solidgrp.io | 🐦 Twitter | 📣 Telegram Group | ✉️ firstname.lastname@example.org