"Always read what you're signing!"
Ever heard that saying in web3?
I did.
So here's how to READ and RECOGNIZE we're signing an listing to Opensea's Seaport protocol (that we might don't want).
#SaferNFTs π‘ 1/13
Everyone who's been following me for a while knows I tweeted a lot about signature / listing sc4ms.
"Offerer" is one of the biggest red flags you're looking for. π©
The message on the right is something you should NEVER see and NEVER expect on a non-marketplace website.
2/13
But before we take a look at the drainer above - let's analyze what an legit Opensea listing signature would look like. π‘
3/13
Learning #1: It's CRUCIAL that the URL displayed is opensea(dot)io if you're actually listing an item there.
(Blurred out parts are the wallet address)
The Seaport header will ALWAYS show up on SC4M signature requests ASWELL because that is the contract that is called.
4/13
This is what a full (legit) signature request for 1 NFT looks like in an editor (for readability).
See the token we saw in the MM screenshot?
Here's the catch: This is an 0 ETH private listing to one of my wallets - so exactly how a sc4m would operate.
How would we know?
5/13
Consideration (or return):
The only recipient is a wallet address.
Apart from that, there a NO additonal specifications for this listing. Which considers the tokens you're offering free as you're not a recipient.
Time and below aren't relevant from a non-technical pov.
6/13
Now we know what a "giveaway / no return / fatfinger / 0 ETH" listing would look like.
How does a legit one look? Let's bring up the editor again.
7/13
This is a "standard listing" signature.
We still got ONE offer item. But we now got at least 2 (most times at least 3) consideration items for the offer item.
The seller's wallet receives the set amount of token: 0x00..(which is the native of the chain, in this case ETH).
8/13
After the seller, Opensea receives their % feeshare, and the project their % royalties (if set).
Then the buyer's wallet will receive the token in return for the ETH.
Don't mind everything below startTime.
Now - how does the malicious signature from tweet #2 look like?
9/13
Sc4mmers scan your wallet for open approvals with a .js file.
If you look up entry 0: 0xbc4ca0eda7647a8ab7c2061c2e118a18a936f13d on Etherscan - you'll find.. The Bored Ape Yacht Club. TokenID: 8867.
1: Is the ERC20 USDC - with an amount of 39863$!
Still looking ok, no?
10/13
We offered 8 different items - there should be at least 16 (if not 24) consideration items right (OS fee, royalties)?
In a legit listing - yes. But we're getting exploited here. Simply put: All your offer items -> recipient wallet address. Without ANYTHING in return.
11/13
TL;DR:
Takeaways for listing signatures:
1) Make sure the offerer is the wallet address that WANTS to list items
2) The offer contains EVERYTHING you (the offerer) are spending
3) Consideration is what needs to be received and by who, in order to take the offer items.
12/13
TL;DR 2:
Checks for listing signatures:
1) The right wallet is selected (don't use the wrong account) β
2) NO NFTs / ERC20s in the offer items you don't want to sell β
3) Your Wallet address is the #1 consideration item + there's the token you're trying to sell for β
13/13
Extra: Thanks to @z0age for the exchange during this writeup. Appreciate your time and wisdom.
I'm planning to do a video on this topic to explain it a bit more in detail + visuals. πΊ
@RevokeCash extension has displayed THIS for the signature request.
Stay safe everyone! π‘
Video covering this π§΅in a way more detailed explanation is ready.
Follow me along for ~20 minutes as I teach you what to look out for.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.