Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
WiiMee.eth 🟦πŸŸ₯ Profile picture
@Wii_Mee
Oct 5, 2022 β€’ 15 tweets β€’ 5 min read β€’ Read on X
Scrolly
"Always read what you're signing!"

Ever heard that saying in web3?

I did.

So here's how to READ and RECOGNIZE we're signing an listing to Opensea's Seaport protocol (that we might don't want).

#SaferNFTs πŸ›‘ 1/13
Everyone who's been following me for a while knows I tweeted a lot about signature / listing sc4ms.

"Offerer" is one of the biggest red flags you're looking for. 🚩

The message on the right is something you should NEVER see and NEVER expect on a non-marketplace website.

2/13 Image
But before we take a look at the drainer above - let's analyze what an legit Opensea listing signature would look like. πŸ’‘

3/13
Learning #1: It's CRUCIAL that the URL displayed is opensea(dot)io if you're actually listing an item there.
(Blurred out parts are the wallet address)

The Seaport header will ALWAYS show up on SC4M signature requests ASWELL because that is the contract that is called.

4/13 Image
This is what a full (legit) signature request for 1 NFT looks like in an editor (for readability).
See the token we saw in the MM screenshot?

Here's the catch: This is an 0 ETH private listing to one of my wallets - so exactly how a sc4m would operate.
How would we know?

5/13 Image
Consideration (or return):

The only recipient is a wallet address.

Apart from that, there a NO additonal specifications for this listing. Which considers the tokens you're offering free as you're not a recipient.

Time and below aren't relevant from a non-technical pov.

6/13 Image
Now we know what a "giveaway / no return / fatfinger / 0 ETH" listing would look like.

How does a legit one look? Let's bring up the editor again.

7/13
This is a "standard listing" signature.

We still got ONE offer item. But we now got at least 2 (most times at least 3) consideration items for the offer item.

The seller's wallet receives the set amount of token: 0x00..(which is the native of the chain, in this case ETH).

8/13 Image
After the seller, Opensea receives their % feeshare, and the project their % royalties (if set).
Then the buyer's wallet will receive the token in return for the ETH.

Don't mind everything below startTime.

Now - how does the malicious signature from tweet #2 look like?

9/13 Image
Sc4mmers scan your wallet for open approvals with a .js file.

If you look up entry 0: 0xbc4ca0eda7647a8ab7c2061c2e118a18a936f13d on Etherscan - you'll find.. The Bored Ape Yacht Club. TokenID: 8867.

1: Is the ERC20 USDC - with an amount of 39863$!

Still looking ok, no?

10/13 Image
We offered 8 different items - there should be at least 16 (if not 24) consideration items right (OS fee, royalties)?
In a legit listing - yes. But we're getting exploited here. Simply put: All your offer items -> recipient wallet address. Without ANYTHING in return.

11/13 Image
TL;DR:

Takeaways for listing signatures:
1) Make sure the offerer is the wallet address that WANTS to list items
2) The offer contains EVERYTHING you (the offerer) are spending
3) Consideration is what needs to be received and by who, in order to take the offer items.

12/13
TL;DR 2:

Checks for listing signatures:
1) The right wallet is selected (don't use the wrong account) βœ…
2) NO NFTs / ERC20s in the offer items you don't want to sell βœ…
3) Your Wallet address is the #1 consideration item + there's the token you're trying to sell for βœ…

13/13
Extra: Thanks to @z0age for the exchange during this writeup. Appreciate your time and wisdom.

I'm planning to do a video on this topic to explain it a bit more in detail + visuals. πŸ“Ί

@RevokeCash extension has displayed THIS for the signature request.

Stay safe everyone! πŸ›‘ Image
Video covering this 🧡in a way more detailed explanation is ready.

Follow me along for ~20 minutes as I teach you what to look out for.

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with WiiMee.eth 🟦πŸŸ₯

WiiMee.eth 🟦πŸŸ₯ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Wii_Mee

WiiMee.eth 🟦πŸŸ₯ Profile picture
Feb 11, 2023
You signed a gasless but probably malicious signature? 😱

If recognized fast enough,
this OpenSea feature might save your asse(t)s.

Add it to your toolbox. πŸ›  πŸ›‘
2/ In this short tutorial, I'll show you how to increment your counter via the OpenSea frontend.

The goal:

⭐ Invalidate all offer / listings signatures you signed to the Seaport contract (and are still valid)
3/ First, connect the affected wallet to OpenSea.
Then, navigate to your profile page.

Either done by:
- Clicking the bubble with your PFP in the upper right
or
- Hovering over your PFP and clicking on "Profile" Image
Read 16 tweets
WiiMee.eth 🟦πŸŸ₯ Profile picture
Oct 13, 2022
Intimidated by the new 🦊 warning?

The FIRST time you list a collection (item) to a marketplace, you'll have to use "Set Approval For All".

Why?
The marketplace needs your permission to be able to transfer the NFT / token on your wallet address' behalf if a sale happens.

🧡/1 Image
2/
 Keep in mind - Approvals are per:
- Collection
- Service (marketplaces, exchanges etc.)
- Wallet address
- Blockchain

Let's jump into it. πŸ”
3/
 Let's break this request from Opensea down as an example.
How do we tell if this is actually a legit and safe approval request? Image
Read 14 tweets
WiiMee.eth 🟦πŸŸ₯ Profile picture
Aug 8, 2022
How to ⁉

Mint your NFT directly from a contract via @etherscan.

Hope this eliminates a lot of approval for alls and malicious signature signs on sc*mmy mint websites.

A detailed tutorial video on how to is in the last posts! πŸŽ₯

A step by step πŸͺ‘🧡

#SaferNFTs 1/13
First we need to know the contract address of the project that we want to mint.

Several approaches to get it without visiting the website:
1) Discord (official links channel)
2) Opensea (should be listed, 'cause: never be first to mint)
3) Project's Twitterpage

#SaferNFTs 2/13
Example: Looking for the contract address on Opensea?

Open the collection on Opensea, navigate down.
Under traits of an NFT, expand the "Details" tab. Clicking on contract address views it on etherscan.io directly.

#SaferNFTs 3/13
Read 14 tweets
WiiMee.eth 🟦πŸŸ₯ Profile picture
Jul 19, 2022
Web3 basics 101 - Your seedphrase is something you want to protect at ALL cost. If you hand out your seedphrase - it's game over for that wallet (+subwallets).

Here’s a🧡about companies entering web3 and not properly putting disclaimers up for user security.

#SaferNFTs 1/10
I chose @Stepnofficial as an EXAMPLE for this🧡, applies to all others.

For those unfamiliar with #STEPN - they are essentially onboarding people to web3 to earn crypto through their app while being active / moving / running. Which - as a concept is a cool idea.

#SaferNFTs 2/10
STEPN launched on $sol originally, expanded to $bnb and now added $eth. Different chains are referred to as realms. Basically = servers, if you're familiar with MMORPGs. Solana Realm, BNB Realm and APE Realm.

Ok, onto the security part already @Wii_Mee!

#SaferNFTs 3/10
Read 10 tweets
WiiMee.eth 🟦πŸŸ₯ Profile picture
Jul 8, 2022
Most of your answers said: #2. πŸ₯

Yes, you didn't see the Origin - which would've made it too easy for y'all! πŸ˜‚

Here's your answer (dont click the quoted tweet, lol):
πŸ’‘Solution:

Actually all these 3 screenshots were from @opensea while interacting with the new Seaport protocol.

Correct answer (with known Origin): 2!

1 by 1 screenshot explanation below ‡
#1
"Set Approval For All" txn would be a 🚩 and a sign to run away as fast as you can.

Interacting with a marketplace you have to give out the approval for the first listing of a collection, so they can execute a transfer on your behalf if your NFT sells.

A: Blind signing in #3
Read 8 tweets
WiiMee.eth 🟦πŸŸ₯ Profile picture
Jul 7, 2022
#SaferNFTs πŸ›‘πŸ”’

❓Web3 security quiz❓

Which of the following 3 request is (probably) the safest to approve, and why?

Drop your learnings below ‡ Image
Will reveal the answer tomorrow or so, so me liking your tweets doesn't mean you're right necessarily. ☝️
πŸ’‘Mini solution thread:
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(