WiiMee.eth Profile picture
Jul 3 13 tweets 7 min read
Why wallet hygiene will become more important!

After discovering a recent scam method, were the attackers don’t get you to sign an approval for all txn – rather then just stealing your signature to buy all your approved NFTs for free – here’s a 🧵& video on it.
1/12 #SaferNFTs
This scam attack isn’t new (was used in Feb 2022 when Opensea changed their protocol to V2) but was found on a site called imposters(dot)in – video to see what it does at the end of this thread, so you don’t have to visit an connect anything to the site.
2/12 #SaferNFTs
Red flag #1 🚩: The site prompts you to connect your wallet before you can do anything on there.
Red flag #2 🚩: After you connected the wallet, it will immediately request a signature, here’s where it gets DANGEROUS. Good thing: We can read the EIP-712 code.
3/12 #SaferNFTS
The signature might not look that scary – because it doesn’t ask for an approval for all transaction – that's what most scams / fake mints do nowadays.
But: Signing this signature request might do more damage than an approval for all for a collection.
4/12 #SaferNFTs
But why @Wii_Mee you’d ask?
Because it grants the scammers contract (and the linked wallet) the ability to BUY all your APPROVED collections to the specific contract under “exchange” for 0 ETH (or whatever tokens) for like 52 years time. 5/12 #SaferNFTs
The worst part about this: The signature itself is stored for the attacker and can’t be removed via sites like revoke.cash or etherscan.io. Plus: There's no way to find out what kind of signatures you signed - unlike transaction approvals.
6/12 #SaferNFTs
This means, even if you don't have any active approvals to the specific marketplace contract at the moment of signing this request, they could wait and execute your stored signature if you ever approve something to that target contract again.
7/12 #SaferNFTs
Knowing all this – what can we do?
Don't sign any signature request like the one in the video below from random sites EVER.
The magic word is wallet hygiene. Meaning: Check your token approvals regularly and revoke contracts that you're no longer interacting with.
8/12 #SaferNFTs
My advice: Remove all unused contracts and the old “OwnableDelegateProxy” approvals for @opensea when gas is cheap (I'd go for 10gwei).
Opensea switched to the SeaPort protocol in May '22 and are now using an approval shown as “OpenSea: Conduit” for new listings.
9/12 #SaferNFTs
Wise people in the @BoringSecDAO advice you to use 4 wallets:
- A vault wallet with 0 approvals
- A buying / selling wallet – Marketplaces only
- A degen mint wallet (I recommend making new ones for every free mint)
- Non-degen mint wallet (for speed mostly)
10/12 #SaferNFTs
TLDR:
Always pay attention to WHAT kind of signatures / transaction you sign with your private key. Treat it like a real life signature!
And most importantly bring your valuable assets into a wallet / vault where you have close to 0 or 0 approvals for anything.
11/12 #SaferNFTs
Extra:
Link to the video I made about this thread and explaining everything a bit more detailed and visualized.

If this thread was helpful to you, I'd be happy if you hit the follow button!
Stay safe frens! 🦊🛡🔒
12/12 #SaferNFTs
One more extra:
Origin tweet from a few days ago shows you the txn that is executed on etherscan shown as "0xf191a7cd".
Contract address used in this scam:
0xdE6135B63dEcC47d5A5D47834A7dD241fE61945A

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with WiiMee.eth

WiiMee.eth Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Wii_Mee

Apr 13
Here we go again - #SaferNFTs.
I want this to be the only thread 🧵you'll ever need to not get scammed in the wild wild #NFT west.
Do me a favor and share this with everyone you know that needs advice. One wallet saved is worth it! Let's start: 1/13 Image
"Never enter your seedphrase" - this 1 is easy. There's only 1 occasion where you enter your seedphrase, and that is to reset / restore a hot wallet or a hardware wallet. YOU prompt that restore, nobody else. Save the seedphrase offline (paper) NO digital files (photos, txt) 2/13
"Get a hardware wallet" - Yes, do it. Right now! Buy a @Ledger, @Trezor, bitbox02 or an alternative. Only purchase hardware wallets from the vendor themselves and check that your delivery is sealed without any pre-filled seedphrases in it. 3/13
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(