Defi Robot Profile picture
Apr 29 24 tweets 7 min read
🚨PROTECT YO-SELF🚨 [thread]

Recently I saw someone on my feed talk about how they got their #NFTs stolen from #Metamask. They went to a malicious site (unbeknownst), and performed what they believed were standard approvals.

However, the approvals were safeTransferFrom

🧵/1
Someone else commented that #crypto investors should learn some basic Solidity functions so they can avoid mistakes like this.

For reference, the safeTransferFrom function is the function that transfers an NFT from one wallet to another.

🧵/2
Anyway, I agree so I thought I'd do a thread on common MetaMask (browser wallet) approvals and permissions.

Let's dive in.

🧵/3
MM and other browser wallets have four primary functions/approvals:

- Transfer/send (to send stuff to another wallet)
- dApp approval (to allow dApp to see your wallet addresses)
- Token approval (approves and sets limit on amount of a token contract can access)
- Mint

🧵/4
Transferring funds is pretty simple. You approve the transaction.
Just make sure you triple check the address it's going to.

🧵/5
Here's that safeTransferFrom again. This is for sending NFTs. Again, make sure you know you are sending your NFT to another wallet, and triple check the wallet address.

🧵/6
Next, the most common approval, is the dApp approval.
You can't access dApps through MetaMask without this.

The full permissions are listed under the "Connect To" section beneath "Allows this site to"

🧵/7
Typically this approval only allows the site to see your wallet addresses and transactions.

A common misconception is that if you give this permission to a malicious site, they can steal all your coins. No, this permission doesn't give them access to your wallet.

🧵/8
What this permission does is allows the dApp to see your addresses and transactions.

In and of itself this is not harmful. However, a malicious site could use this information to create more elaborate hacks.

Such as waiting until a txn fails, then sending a fake MM popup

🧵/9
Never trust a pop-up. Always dismiss and then click on the MetaMask extension manually. This will solve a lot of issues with spoofed pop-ups as they can be very convincing looking.

🧵/10
Last is the token approval.
This is typically where people get into trouble.
This is the approval that gives a smart contract access to that particular token, not just for that single txn, but any in the entire wallet.

🧵/11
How this is an attack vector should seem obvious:
A malicious dApp could ask for permissions to access a DIFFERENT token than the one you think you're approving.
For example, you think you're approving $shitcoin but really they're asking for $BNB

🧵/12
The second way people get into trouble is these approvals set a max allowance (max amount before approval is needed again)...but so many dApps now just automatically set that amount to either unlimited or an astronomically high number.

🧵/13
This means, if you blindly click approve on a malicious #dApp, you could be approving the wrong token (a valuable one) for an unlimited amount.

THIS would allow the smart contract to extract all of that token from your wallet.

🧵/14
There are other functions, such as mint(), but those first three are the most common that allow attack vectors for scammers.

So how do you protect against them?

🧵/15
As mentioned above, don't approve a transfer to any address you don't intend to transfer to. Always ALWAYS triple check addresses for any function that says "Transfer"

🧵/16
Don't trust popups, ever. Any popup always dismiss and then manually click on the MM extension.

If you realize you've approved a scam site, you can revoke it in MM.

Click the three dots, go to Connected Sites, then click Disconnect

🧵/17
For token approvals, this is a little trickier.
If you want to revoke approval to your tokens from a smart contract you'll need to do so in the block explorer.

Block explorers have a /tokenapprovalchecker (just enter the explorer URL and that at the end) to check these.

🧵/18
Then, you plug in your wallet address, connect your wallet, and revoke the contract.
This will cost gas, however.

🧵/19
It's a good idea to revoke old contracts that you no longer interact with.
The reason is, these approvals live on the blockchain and therefore persist forever.
If a developer gains access to that contract in the future and decides to exploit it, you are in danger.

🧵/20
So, to sum up:
1. Don't approve unintended transfers
2. dApp approval doesn't mean someone has access to your wallet, but they CAN send you fake popups
3. Always watch your token approvals and max allowance

🧵/21
Other approvals, such as "signatures" are commonly scams. Be wary of unnecessary or oddly placed txn approvals.

I hope this helps you stay safe and keep your #cryptocurrency and #NFT in your custody.

🧵/22
If you found this thread helpful, consider liking and following.
Also, share with a retweet to keep #CT safe.

Cheers!

🧵/finis
tagging my homies who are interested in on-chain analysis and security:
@0xLosingMoney @economiserly @VirtualKenji

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Defi Robot

Defi Robot Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @RobotDefi

Apr 29
Ok, so I've seen a rather false narrative floating around #CT that I'd like to address/dispel really quick.

I have seen a number of tweets talking about how difficult it is to start an LLC in the US. As a result, I see a lot of praise handed to protocols that do so.

🧵/1
Not saying that a protocol that legitimizes themselves in the eyes of the US tax authorities is a bad thing...just that if anyone claims it is a difficult/arduous task to start an LLC, this is NOT TRUE.

I can quickly walk you through the steps:

🧵/2
Step 1:
Use a registered agent to start your LLC.
If your business is digital, you don't have to create the LLC in your home state. You can use a representative agent. My personal favorite is wyomingagents.com since WY has favorable biz taxes.

🧵/3
Read 10 tweets
Apr 28
Recently I shared how I spent days developing a #cryptotrading strategy that failed. It was not the first one either.

But many asked for me to explain what I did and why it failed.

So here’s some insight into how I develop my #degen strategies.

🧵/1
If threads aren’t your thing, I actually wrote it out into a Medium article:

medium.com/@Defi_Robot/de…

But here’s the Cliff’s notes

🧵/2
First, it’s important to understand where I come from.

In a nutshell, I’m a marketer with a focus on behavioral economics.

Meaning, I recognize humans act in predictable ways. These behaviors can be identified in price charts.

🧵/3
Read 14 tweets
Apr 28
This was a great post from @AssEfectivo but I’d like to dive a little deeper (since behavioral economics is my thing)

So here’s a thread on investor cognitive biases (based on this infographic)

🧵/1
“I should’ve seen it coming” - hindsight bias: foreseeability impression

The overestimation of our human ability to predict events.

Also manifests as “I knew it all along”

In truth…no you didn’t. No one did.

🧵/2
“I have a proven system for picking winning managers” - overconfidence bias

The overestimation of one’s ability.

No. You aren’t that good. Sorry not sorry.

🧵/3
Read 12 tweets
Mar 23
What is #FVM? [🧵]

A lot of people are talking about the #Fantom Virtual Machine. Most conversations, however, simply state that “it’s the future” or “it’s gonna change the game”

But many still don’t know how or why.

So let’s discuss.

🧵/1
First, if you haven’t yet, definitely listen to the latest interview from @milesdeutscher with Fantom CEO Michael Kong.



He touches on the topic of what they are trying to achieve.

🧵/2
Unfortunately this is still a bit ambiguous. So let’s dive in further.

In the interview Michael talks about research done by university students and professors. Well, here is a publication outlining some of the EVM limitations he discusses: arxiv.org/pdf/1910.11143…

🧵/3
Read 12 tweets
Mar 22
Do you actively trade your #crypto? Or do you buy and #HODL?

Ever aspired to be a day trader? Or at least be much more active in trading?

Ask anyone though, and they'll tell you "DON'T DO IT!" There are many reasons why that is...

🧵/1
Once upon a time, to day trade stocks, you needed AT LEAST $50k. And the reason is simple math. If you're trading a $6 stock, and intraday gain is only to $6.75, one share only makes you $0.75 profit. So you need a LOT more.

That's out of reach for most.

🧵/2
For traders with smaller bags but bigger dreams, the futures markets were born.

Here, you can trade on leverage. Did you know that for every $1 in price of Crude Oil, a crude oil futures contract is worth $1k?

So if oil goes from $98 to $103, that represents $5k.

🧵/3
Read 18 tweets
Mar 19
Now that we've discussed how to check if liquidity is locked in a project, let's talk more about how to vet a smart contract.

First, we'll start with the block explorer.

🧵/1
The block explorer is where you can see all of those immutable transactions on the blockchain.
Each chain has it's own (bscscan, etherscan, ftmscan, snowtrace, etc)

You can go to the explorer and plug the contract address into the search bar.

🧵/2
A good place to start is to check out the contract creator's address.

Also, click on the total txn number of the contract and then click to the Last page. This will show you the first txns on the contract.

🧵/3
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(