A Guide to Ethereum Exploits and Security Best Practices
As a technology continues to evolve, it necessarily faces unique security challenges. Ethereum is no exception, and navigating this new world presents a host of pitfalls that can be intimidating for new users. Indeed, it seems every day we see another member of our community scammed.
However, you don’t have to be a security expert to keep your assets secure. Operating safely can be boiled down to a few simple rules. In this article, we’ll talk about the scams that run rampant in the space today, and how to prevent yourself from becoming a victim.
The beauty of Ethereum is that each user becomes the custodian of their own assets. There is no need for banks, debit cards, trading hours, or intermediaries. The chain runs 24/7, and remains available to anybody at any time, without bias. During peak hysteria, when centralized exchanges crash, the chain chugs along. You can always transact, though sometimes you may have to pay a pretty penny to do so.
Self-custody can be daunting. Because you control your own funds, you are also responsible for keeping them safe. Scammers know that less knowledgeable users can be exploited, and with no intermediaries to protect you, there’s little to no recourse after losing your assets.
First, let’s dispel a common misconception: a malicious smart contract can’t steal your NFTs. In order to move an NFT governed by Contract A, Contract B would first require you to approve it to do so by using Contract A’s setApprovalForAll function. This requires a separate transaction, and although setApprovalForAll is used in scams, it’s not executed in this manner. This is important because it means that no degen mint can steal your assets as long as you verify that the contract you’re interacting with is the degen mint contract, and not of some other asset you own.
Though a contract can’t be used to submit a malicious SAFA request, a website can. If a site unexpectedly asks you to setApprovalForAll (SAFA), it is almost surely a scam. They’ll simply ask you to sign boredApeYachtClub.setApprovalForAll instead of degenMint.publicMint, and if you sign it, they are free to take all of your Bored Ape Yacht Club tokens. Most Ethereum wallets will provide a warning when you are about to sign a SAFA request, so always be extra cautious when you see one. If you aren’t expecting to sign a SAFA request, then you shouldn’t.
There are, of course, legitimate reasons to use SAFA. NFT Marketplaces like OpenSea or Blur require approval to move your NFT if somebody buys it. If you see a SAFA while listing an NFT on a marketplace you trust, you are safe to proceed. For the same reason, P2P trading sites like NFTTrader require approvals to execute a swap. However, there are a lot of scammers who utilize this transaction type to scam you. Let’s take a look at a few below.
Most Popular Scam Methods That Utilize the “SAFA”
NFT Trading Scams
These types of scams use social engineering techniques to convince you to take part in their private trade. Next, they will send you a fake trading site. Since marketplaces will ask you to setapprovalforall, the process might seem trustworthy. However, instead of approving a marketplace’s smart contract, a scammer will trick you into approving their wallet. At that point, the scammer can steal your NFTs and block your future messages.
To avoid this particular scam, bookmark reliable platforms such as OpenSea, LooksRare, X2Y2, NFTTrader, and SudoSwap. For some other similar tips, check out the Boring Security guide on how to trade securely.
Fake Revoke Sites: Another way that scammers might request a SAFA from you is to claim that there is a new exploit on a particular marketplace like Blur or OpenSea. Next they direct you to a fake site to revoke approvals. Since revoking approvals prompts a SAFA transaction, it can be difficult to tell if it is legitimate or not. Signing the wrong transaction approves the scammer’s address to steal your NFTs. To avoid this, bookmark your preferred revoke site, such as http://revoke.cash and https://approvals.xyz.
Airdropped NFTs with WETH offers: If you’ve asked yourself, “can I accept that WETH offer on the junk NFT that appeared in my wallet?”, you’re not alone. The answer is yes, and no. The NFT itself can’t harm you – remember, contracts can’t steal your other NFTs. So what are they all about? First of all, the WETH offer is fake – if you try to accept it, the transaction will fail. The reason it’s there is to draw your eyes to something else: the item description. In the description, you’ll find a link to an external website where, you guessed it, they’ll ask you to sign a malicious transaction. You can read more on this technique in this twitter thread by Quit.
Accusing You Of Being A Scammer: A popular method lately has been to make accusations that you are scamming people in discord, complete with (doctored) screenshots of you scamming in DMs. This is particularly nasty because you are naturally inclined to attempt to protect your reputation. The end goal here is to lure you into a fake discord server that uses an imitation of Collab.Land or Vulcan for verification. When you go to verify your identity, the imitation site requests a SAFA or a seaport signature (more on that below) from you! Keep yourself safe from these by ignoring any accusations of scamming.
Other Methods: We’ve seen fake derivative sites, fake mints, staking sites, airdrop claims, hacked accounts on Twitter linking phishing sites, Function name collision obfuscation (too long to talk about in this article, but explained beautifully here), and many more. We couldn’t possibly get through them all, but you should know the components of an Approval transaction, what to look for, and what to watch out for with existing approvals. Check out this article written by Boring Security about approvals for more information. The bottom line is: be extremely careful where and what you give approvals to, what you sign, and where you sign it!
Now that we know how to avoid SAFAs, let’s look at another, potentially more devastating SAFA-related scam: the Seaport Signature. This scam has risen in popularity over the past few months as SAFA awareness grows, and is now the culprit for the majority of scams we see every day.
It is commonly assumed that if a website requests a gasless signature, it’s safe to sign. That couldn’t be further from the truth. In fact, the most devastating scam out there leverages gasless signatures to steal bundles of NFTs all at once.
Remember that marketplaces require approvals in order to move your NFTs, for example, when it must move a listed NFT to its new buyer. On the other end, these marketplaces use signatures to verify that the listing is valid before finalizing the sale.
A valid signature contains specific data; the token(s) name, the listing deadline, the price of the assets, and more. Any number of tokens can be included in a listing. But it’s not just NFTs, setting approvals works for ERC-20 tokens such as $USDC and $APE as well.
All a scammer needs to do to take advantage of this is request a signature from you that includes all of your tokens as assets, and a price of 0. Once you sign it, they can submit that signature to Seaport to “buy” the new listing, transferring all of your assets to them. That leaves nothing for you.
It’s important to note that only tokens that you’ve approved to Seaport are at risk of this attack, and prevention is fairly simple. The OpenSea signature is verbose and hard to decipher. If a website you don’t trust prompts you for a signature and you can’t understand what it means, don’t sign it. This is the best way to keep safe – signatures are required to prove ownership on many sites, but legitimate use cases should always be human-readable messages like “Welcome to collab.land!”. If you want to get into the finer points of signature types, and some screenshot examples, head on over to Boring Security’s “Safe Signing 101” article shown here.
Outside of being careful about what you sign, you should also practice good asset segregation. Since only the NFTs you’ve approved to OpenSea or other marketplaces are vulnerable to this type of attack, you don’t need to worry about it on wallet addresses that don’t carry any open approvals. You should always keep your most valuable NFTs in a vault wallet with no approvals. Then when you need to sell, transfer them to an intermediate wallet and list them for sale from there. Since your vault has not approved anything to any exchanges, you don’t have to worry about gasless signature scams. Using this method, you successfully close off the entryway for the most common and deadly attack.
Also note that while less common, Blur signatures and approvals are also subject to this type of scam. To explain, Blur signatures will appear as a random hex string. This is perhaps even more unreadable than a Seaport signature.
Although most major wallets have this setting disabled by default, it is worth mentioning. You may decide to enable it for things like Opensea Pro.
There is another type of gasless signature that can be dangerous: the eth_sign. At its core, a blockchain transaction is simply a signed message that when decoded, includes fields like Gas Price, Nonce, Value, To Address and more. So attackers using this method will assemble a valid transaction and then ask you to sign it. That’s because, once signed, anybody can submit the transaction. If all of the parameters are still valid (i.e. your nonce hasn’t changed), the transaction will be executed as if you submitted it yourself. . This raw transaction signing is called an eth_sign, and luckily it is now disabled by default using most major wallets.
If you do happen to sign one, there can only be a single transaction executed using that signature. Once the damage is done, you are safe to continue using your wallet as normal.
Address poisoning happens when an attacker sends fake tokens from your address to an address that resembles one from your transaction history. They can do this very effectively and cheaply using something called event spoofing. Rest assured that not only is your address still secure, but these tokens aren’t even actually moving. The scammer hopes that some time in the future, you will copy and past a destination you sent to in the past, and accidentally choose their lookalike address over the real one. Avoid falling victim by double checking your destination before confirming any transactions!
Private Key Compromise
The most devastating attack of all is the private key compromise. Thankfully, this also happens to be the attack that is most easily avoided. If you are not using a hardware wallet, your private keys are saved somewhere (hopefully encrypted) on your device. A malicious program will be able to locate and extract these keys, giving an attacker full control of your wallet.
Private key compromises are the hardest type to track down the source of, because there’s nothing on-chain that can hint at source. Any malware can be responsible for stealing your private keys. To explain, anything you download and run on your device can potentially be the culprit.
Social Engineering Scams
The most common method is a social engineering scam. The top three scams we’ve seen in 2023 have been:
- Game Beta Testing: A scammer will offer you money in exchange for beta testing a “game” that they’re building. Testing the game will require downloading and installing it, of course. To follow, the installer will attempt to hijack your wallet’s private key. If successful, they drain the wallet’s contents. Additionally, an automated sweeper will be attached to extract any assets sent to the address in future.
- IP Royalty Contract Scam: A scammer will offer you royalties and payments for the usage of your NFT’s IP. This is the dream, right? Passive income. Unfortunately, they will either get you to sign a scam transaction, or have you download a fake PDF that contains a private key stealing virus.
- Collaboration Request/Contract: Founders and those involved in projects with high-value NFTs are targeted by all types of companies attempting to appear legitimate. These are getting more prevalent, and use the same method as above. They may also even get on calls with you to buy credibility with you.
If your private key has been compromised, your only option is to abandon the wallet and start fresh. If there are assets remaining in the compromised wallet, for example, assets that were staked or otherwise not immediately apparent to an attacker, those assets can sometimes be rescued using a flashbots bundle by whitehat hackers in the Flashbots discord server.
If you use a hardware wallet, your keys are protected from the internet. This keeps them safe from things like malware, as long as you don’t manually store them somewhere online. Ledger devices use a secure element chip, meaning they are some of the most secure hardware wallets in existence. To be properly protected while using a hardware wallet, you should keep your seed phrase written down offline, on paper, or better yet, using metal. To learn more, make sure to check out the article on how to protect your recovery phrase.
Final Thoughts From Boring Security
The world of Ethereum and NFTs is an exciting and rapidly evolving space, but it is essential to remain vigilant and well-informed to avoid falling victim to scams and malicious actors. Safeguard yourself by thoroughly understanding the potential risks associated with malicious smart contracts, SAFA requests, Seaport signatures, ETH_SIGN, and private key compromises. Exercise caution when signing transactions, approving contracts, or downloading and installing new software, and always pay close attention to any warning signs.
Keep your assets vaulted. If you value something, leave it in a wallet that has no open approvals.
Utilize hardware wallets to provide an additional layer of security for your private keys, ensuring that they stay safely stored offline. Bookmark and rely on trusted platforms for conducting transactions and managing your assets to avoid inadvertently accessing malicious websites. By following these guidelines and consistently staying up-to-date on emerging threats and best practices, you can confidently engage with the Ethereum ecosystem and the world of NFTs while effectively safeguarding your valuable assets from potential risks.
Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join Boring Security in our discord at https://discord.gg/boringsecurity