12/08/2022 NFT Heists: Are Recent Attacks the First of Many to Come?

NFT Heists: Are Recent Attacks the First of Many to Come?

NFT heists are hitting the news. Here how you can protect yourself, saysIndrėViltrakytė, co-founder of theThe Rebels.

Phishing attacks are not new. Sometimes, they are easy to spot. Like when the prompts come with a request to send your banking information to a prince from a far-away foreign land. But sometimes, they are harder to spot. Like when a request to approve the release of your assets comes from a seemingly trustworthy source.

CryptoPunk sells for 4,000 ETH ($12.41 million), sixth-most expensive ever
Nifty News: PayPal removes NFT protections, Adidas NFT sneakers and more
MGA Entertainment’s LOL Surprise becomes latest toy brand to make NFT move

This is what happened recently in an NFT phishing theft case. Users trusted a scheme that involved thePremint platform. The users agreed to a prompt to approve an unknown entity to control their assets.

On July 17, 2022, a popular NFT platform, Premint NFT, was hacked. 314 NFTs worth $430,000 were stolen. Perpetrators were able to plant malicious code on Premint’s official website. The code instructed users to “set approvals for all” when connecting their digital wallets to the site. This allowed the attackers to access their crypto assets and steal their NFTs.

The new world of NFTs – digital art collection – may be in line for more phishing attacks.

NFT heists: What are being stolen?

Typically when we hear the word NFT, we think of a digital image that is unique and connected to the blockchain. It is, however, more elaborate than that. When talking about NFTs, the ownership tracking and uniqueness are always accented. But nowhere in the NFT standard, it is stated what the unique tokens represent. In its essence, the tokens are only unique numbers. It’s the authors of the NFT collection who define what these tokens represent.

Furthermore, images are usually never “uploaded into thecrypto wallet.” They are not part of the NFT contract. A hash of the image might be written into the contract to create a connection with the thing that the NFT represents. Also, NFT as a standard doesn’t concern itself about the value or the buying and selling operations of the NFTs. It only supplies standard methods to transfer the NFT ownership. It’s the marketplaces and the community who build on top of that and treat the NFTs as merchandise.

As merchandise, NFTs are mostly purchased as collectibles, often used for investment purposes. They have developed practical use cases only recently. An example isdigital fashion wearablesin the Metaverse.

NFT heists

What can be done in the future?

Who’s to blame? Is it the user? Or the platform, which allowed an attacker to initiate a fraudulent transaction?

In this particular case, the attackers were able to display content to trick the user into signing the fraudulent transaction.

A vague, plausible-sounding reason for the transaction in combination with trust in the website was enough to fool many. That said, it is unreasonable to expect that the average Web3 user could skirt it. Most didn’t have a strong enough tech background to notice that the transaction was actually giving someone access to his or her NFTs.

It’s possible to trick users into signing transactions if it’s initiated by a trusted website. The assets in the users’ wallets are only as safe as ALL the decentralized applications (dapps) that the user interacts with put together. Identical cases are likely to happen in the future.

The wayssecuritycan be improved:

1. Wallets could display more human-oriented information for known contract interaction types. For example, a huge red message saying, “Hey, you’re giving control for all of your NFTs to someone!” That would be much better than the current all caps “SET APPROVAL FOR ALL” in gray in the MetaMask’s transaction confirmation window.

2. Websites could list and publish the contract interactions that they might initiate. The providers likeMetaMaskcould refuse any non-standard transactions.

NFT heists: How can users protect themselves

– Review the transaction details before signing. This won’t protect the user 100% of the time. But reviewing what method on what contract is crucial.

– Separate NFTs (and other crypto assets) into multiple wallets. If the users are tricked into giving someone control of their assets in onewallet, at least the assets in other wallets are safe. This is as long as you don’t share your private key or the seed phrase.

– Use different wallets for different dapps. It’s not always practical to do so when the dapp is meant to interact with other assets in the wallet. However, it’s important to try keeping only what’s relevant.

About the Author

Indrė Viltrakytėis the co-founder of the Web3 fashion ventureThe Rebels. It has 10101 unique characters based on the controversial “Jesus, Maria” ad campaign. The campaign was banned but later found justice in the European Court of Human Rights, which ruled in favor of the brand. The case is now held as a precedent in cases related to freedom of expression in the EU. Indrė Viltrakytė has 10+ years of experience in the fashion industry.

Arts

https://beincrypto.com/nft-heists-attacks-many-to-come/

Interesting NFTs
The Moth Catcher
In this psychologically bed-headed portrait, a creature sets in a trance; his eyes devolved and vestigal, his third eye open but hardened and in a form resembling a Sharingan. The imagery therefore expresses an awareness existing in corporeal introspection. The creature’s mind sprouts, on the left side, an emerging face, grinning. To the right side of the head, red tentacles and fingers intertwine–a collaboration of invertebrate and vertebrate consciousness cooperatively handling paint brushes of the sort used to build an oil painting. The neck and throat bristle with random thorns, as from a rose or the upper portions of a beak sprouting from its flesh. The neck itself disassociates into layers of membranous material, terminating upon an abstracted base of convoluted forms composing its body. The nose is virtually non existent, more a sinus reiterative of the shape of the third eye. Set against the exposed teeth peering out of thick, meaty cheeks, a skeleton-like impression results. That impression sets behind a visceral set of lips and tongue, which is the creature’s prime seat of awareness. Sensual, organic, the tongue organ hangs, meaty, and with consciousness of a sea cucumber. It illuminates at the tip, drawing the attraction of a nearby moth–with mystery of purpose.
Punk #24
Inscription #441
#79026
By OthersideDeployer
Iconic Crypto Queen
(Virtual) blondes have more fun, right? #iconic ICONIC (Adj.): of, relating to, or having the characteristics of an icon. Widely recognized and well-established.
My Other Half | Inspired by Minecraft: The Last Minecart (2011)
Almost every year, we capture ourselves in a way that no photo or video is capable of: with a photoscan. If you dig through our archives, you'll find many of them and can see exactly how we change over time. Sam Gorski, Creator | I wanted to find the oldest scan of myself and put him side-by-side with Sam from the present. While it is hard to look at it and not miss the years past, at the same time, this gives me hope for the future by embracing and cherishing the change in my life. How would I have gotten this far without him? About This Piece | Sam on the left was captured in 2014, while Sam on the right was captured last week (2021). This work represents the personal, creative, and emotional journey in all of us, and the hope that ourselves tomorrow may be better than ourselves today.