Recently I saw someone on my feed talk about how they got their #NFTs stolen from #Metamask. They went to a malicious site (unbeknownst), and performed what they believed were standard approvals.
However, the approvals were safeTransferFrom
🧵/1
Someone else commented that #crypto investors should learn some basic Solidity functions so they can avoid mistakes like this.
For reference, the safeTransferFrom function is the function that transfers an NFT from one wallet to another.
🧵/2
Anyway, I agree so I thought I'd do a thread on common MetaMask (browser wallet) approvals and permissions.
Let's dive in.
🧵/3
MM and other browser wallets have four primary functions/approvals:
- Transfer/send (to send stuff to another wallet)
- dApp approval (to allow dApp to see your wallet addresses)
- Token approval (approves and sets limit on amount of a token contract can access)
- Mint
🧵/4
Transferring funds is pretty simple. You approve the transaction.
Just make sure you triple check the address it's going to.
🧵/5
Here's that safeTransferFrom again. This is for sending NFTs. Again, make sure you know you are sending your NFT to another wallet, and triple check the wallet address.
🧵/6
Next, the most common approval, is the dApp approval.
You can't access dApps through MetaMask without this.
The full permissions are listed under the "Connect To" section beneath "Allows this site to"
🧵/7
Typically this approval only allows the site to see your wallet addresses and transactions.
A common misconception is that if you give this permission to a malicious site, they can steal all your coins. No, this permission doesn't give them access to your wallet.
🧵/8
What this permission does is allows the dApp to see your addresses and transactions.
In and of itself this is not harmful. However, a malicious site could use this information to create more elaborate hacks.
Such as waiting until a txn fails, then sending a fake MM popup
🧵/9
Never trust a pop-up. Always dismiss and then click on the MetaMask extension manually. This will solve a lot of issues with spoofed pop-ups as they can be very convincing looking.
🧵/10
Last is the token approval.
This is typically where people get into trouble.
This is the approval that gives a smart contract access to that particular token, not just for that single txn, but any in the entire wallet.
🧵/11
How this is an attack vector should seem obvious:
A malicious dApp could ask for permissions to access a DIFFERENT token than the one you think you're approving.
For example, you think you're approving $shitcoin but really they're asking for $BNB
🧵/12
The second way people get into trouble is these approvals set a max allowance (max amount before approval is needed again)...but so many dApps now just automatically set that amount to either unlimited or an astronomically high number.
🧵/13
This means, if you blindly click approve on a malicious #dApp, you could be approving the wrong token (a valuable one) for an unlimited amount.
THIS would allow the smart contract to extract all of that token from your wallet.
🧵/14
There are other functions, such as mint(), but those first three are the most common that allow attack vectors for scammers.
So how do you protect against them?
🧵/15
As mentioned above, don't approve a transfer to any address you don't intend to transfer to. Always ALWAYS triple check addresses for any function that says "Transfer"
🧵/16
Don't trust popups, ever. Any popup always dismiss and then manually click on the MM extension.
If you realize you've approved a scam site, you can revoke it in MM.
Click the three dots, go to Connected Sites, then click Disconnect
🧵/17
For token approvals, this is a little trickier.
If you want to revoke approval to your tokens from a smart contract you'll need to do so in the block explorer.
Block explorers have a /tokenapprovalchecker (just enter the explorer URL and that at the end) to check these.
🧵/18
Then, you plug in your wallet address, connect your wallet, and revoke the contract.
This will cost gas, however.
🧵/19
It's a good idea to revoke old contracts that you no longer interact with.
The reason is, these approvals live on the blockchain and therefore persist forever.
If a developer gains access to that contract in the future and decides to exploit it, you are in danger.
🧵/20
So, to sum up: 1. Don't approve unintended transfers 2. dApp approval doesn't mean someone has access to your wallet, but they CAN send you fake popups 3. Always watch your token approvals and max allowance
🧵/21
Other approvals, such as "signatures" are commonly scams. Be wary of unnecessary or oddly placed txn approvals.
I hope this helps you stay safe and keep your #cryptocurrency and #NFT in your custody.
🧵/22
If you found this thread helpful, consider liking and following.
Also, share with a retweet to keep #CT safe.
Ok, so I've seen a rather false narrative floating around #CT that I'd like to address/dispel really quick.
I have seen a number of tweets talking about how difficult it is to start an LLC in the US. As a result, I see a lot of praise handed to protocols that do so.
🧵/1
Not saying that a protocol that legitimizes themselves in the eyes of the US tax authorities is a bad thing...just that if anyone claims it is a difficult/arduous task to start an LLC, this is NOT TRUE.
I can quickly walk you through the steps:
🧵/2
Step 1:
Use a registered agent to start your LLC.
If your business is digital, you don't have to create the LLC in your home state. You can use a representative agent. My personal favorite is wyomingagents.com since WY has favorable biz taxes.
A lot of people are talking about the #Fantom Virtual Machine. Most conversations, however, simply state that “it’s the future” or “it’s gonna change the game”
But many still don’t know how or why.
So let’s discuss.
🧵/1
First, if you haven’t yet, definitely listen to the latest interview from @milesdeutscher with Fantom CEO Michael Kong.
He touches on the topic of what they are trying to achieve.
🧵/2
Unfortunately this is still a bit ambiguous. So let’s dive in further.
In the interview Michael talks about research done by university students and professors. Well, here is a publication outlining some of the EVM limitations he discusses: arxiv.org/pdf/1910.11143…
Do you actively trade your #crypto? Or do you buy and #HODL?
Ever aspired to be a day trader? Or at least be much more active in trading?
Ask anyone though, and they'll tell you "DON'T DO IT!" There are many reasons why that is...
🧵/1
Once upon a time, to day trade stocks, you needed AT LEAST $50k. And the reason is simple math. If you're trading a $6 stock, and intraday gain is only to $6.75, one share only makes you $0.75 profit. So you need a LOT more.
That's out of reach for most.
🧵/2
For traders with smaller bags but bigger dreams, the futures markets were born.
Here, you can trade on leverage. Did you know that for every $1 in price of Crude Oil, a crude oil futures contract is worth $1k?
So if oil goes from $98 to $103, that represents $5k.
Now that we've discussed how to check if liquidity is locked in a project, let's talk more about how to vet a smart contract.
First, we'll start with the block explorer.
🧵/1
The block explorer is where you can see all of those immutable transactions on the blockchain.
Each chain has it's own (bscscan, etherscan, ftmscan, snowtrace, etc)
You can go to the explorer and plug the contract address into the search bar.
🧵/2
A good place to start is to check out the contract creator's address.
Also, click on the total txn number of the contract and then click to the Last page. This will show you the first txns on the contract.