Share this page!

Maybe Scrolly?
WiiMee.eth 🛡🦺 Profile picture
Twitter logo
Oct 5 15 tweets 5 min read
"Always read what you're signing!"

Ever heard that saying in web3?

I did.

So here's how to READ and RECOGNIZE we're signing an listing to Opensea's Seaport protocol (that we might don't want).

#SaferNFTs 🛡 1/13
Everyone who's been following me for a while knows I tweeted a lot about signature / listing sc4ms.

"Offerer" is one of the biggest red flags you're looking for. 🚩

The message on the right is something you should NEVER see and NEVER expect on a non-marketplace website.

2/13 Image
But before we take a look at the drainer above - let's analyze what an legit Opensea listing signature would look like. 💡

3/13
Learning #1: It's CRUCIAL that the URL displayed is opensea(dot)io if you're actually listing an item there.
(Blurred out parts are the wallet address)

The Seaport header will ALWAYS show up on SC4M signature requests ASWELL because that is the contract that is called.

4/13 Image
This is what a full (legit) signature request for 1 NFT looks like in an editor (for readability).
See the token we saw in the MM screenshot?

Here's the catch: This is an 0 ETH private listing to one of my wallets - so exactly how a sc4m would operate.
How would we know?

5/13 Image
Consideration (or return):

The only recipient is a wallet address.

Apart from that, there a NO additonal specifications for this listing. Which considers the tokens you're offering free as you're not a recipient.

Time and below aren't relevant from a non-technical pov.

6/13 Image
Now we know what a "giveaway / no return / fatfinger / 0 ETH" listing would look like.

How does a legit one look? Let's bring up the editor again.

7/13
This is a "standard listing" signature.

We still got ONE offer item. But we now got at least 2 (most times at least 3) consideration items for the offer item.

The seller's wallet receives the set amount of token: 0x00..(which is the native of the chain, in this case ETH).

8/13 Image
After the seller, Opensea receives their % feeshare, and the project their % royalties (if set).
Then the buyer's wallet will receive the token in return for the ETH.

Don't mind everything below startTime.

Now - how does the malicious signature from tweet #2 look like?

9/13 Image
Sc4mmers scan your wallet for open approvals with a .js file.

If you look up entry 0: 0xbc4ca0eda7647a8ab7c2061c2e118a18a936f13d on Etherscan - you'll find.. The Bored Ape Yacht Club. TokenID: 8867.

1: Is the ERC20 USDC - with an amount of 39863$!

Still looking ok, no?

10/13 Image
We offered 8 different items - there should be at least 16 (if not 24) consideration items right (OS fee, royalties)?
In a legit listing - yes. But we're getting exploited here. Simply put: All your offer items -> recipient wallet address. Without ANYTHING in return.

11/13 Image
TL;DR:

Takeaways for listing signatures:
1) Make sure the offerer is the wallet address that WANTS to list items
2) The offer contains EVERYTHING you (the offerer) are spending
3) Consideration is what needs to be received and by who, in order to take the offer items.

12/13
TL;DR 2:

Checks for listing signatures:
1) The right wallet is selected (don't use the wrong account) ✅
2) NO NFTs / ERC20s in the offer items you don't want to sell ✅
3) Your Wallet address is the #1 consideration item + there's the token you're trying to sell for ✅

13/13
Extra: Thanks to @z0age for the exchange during this writeup. Appreciate your time and wisdom.

I'm planning to do a video on this topic to explain it a bit more in detail + visuals. 📺

@RevokeCash extension has displayed THIS for the signature request.

Stay safe everyone! 🛡 Image
Video covering this 🧵in a way more detailed explanation is ready.

Follow me along for ~20 minutes as I teach you what to look out for.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with WiiMee.eth 🛡🦺

WiiMee.eth 🛡🦺 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Wii_Mee

WiiMee.eth 🛡🦺 Profile picture
Aug 8
How to ⁉

Mint your NFT directly from a contract via @etherscan.

Hope this eliminates a lot of approval for alls and malicious signature signs on sc*mmy mint websites.

A detailed tutorial video on how to is in the last posts! 🎥

A step by step 🪡🧵

#SaferNFTs 1/13
First we need to know the contract address of the project that we want to mint.

Several approaches to get it without visiting the website:
1) Discord (official links channel)
2) Opensea (should be listed, 'cause: never be first to mint)
3) Project's Twitterpage

#SaferNFTs 2/13
Example: Looking for the contract address on Opensea?

Open the collection on Opensea, navigate down.
Under traits of an NFT, expand the "Details" tab. Clicking on contract address views it on etherscan.io directly.

#SaferNFTs 3/13
Read 14 tweets
WiiMee.eth 🛡🦺 Profile picture
Jul 19
Web3 basics 101 - Your seedphrase is something you want to protect at ALL cost. If you hand out your seedphrase - it's game over for that wallet (+subwallets).

Here’s a🧵about companies entering web3 and not properly putting disclaimers up for user security.

#SaferNFTs 1/10
I chose @Stepnofficial as an EXAMPLE for this🧵, applies to all others.

For those unfamiliar with #STEPN - they are essentially onboarding people to web3 to earn crypto through their app while being active / moving / running. Which - as a concept is a cool idea.

#SaferNFTs 2/10
STEPN launched on $sol originally, expanded to $bnb and now added $eth. Different chains are referred to as realms. Basically = servers, if you're familiar with MMORPGs. Solana Realm, BNB Realm and APE Realm.

Ok, onto the security part already @Wii_Mee!

#SaferNFTs 3/10
Read 10 tweets
WiiMee.eth 🛡🦺 Profile picture
Jul 8
Most of your answers said: #2. 🥁

Yes, you didn't see the Origin - which would've made it too easy for y'all! 😂

Here's your answer (dont click the quoted tweet, lol):
💡Solution:

Actually all these 3 screenshots were from @opensea while interacting with the new Seaport protocol.

Correct answer (with known Origin): 2!

1 by 1 screenshot explanation below ⤵
#1
"Set Approval For All" txn would be a 🚩 and a sign to run away as fast as you can.

Interacting with a marketplace you have to give out the approval for the first listing of a collection, so they can execute a transfer on your behalf if your NFT sells.

A: Blind signing in #3
Read 8 tweets
WiiMee.eth 🛡🦺 Profile picture
Jul 7
#SaferNFTs 🛡🔒

❓Web3 security quiz❓

Which of the following 3 request is (probably) the safest to approve, and why?

Drop your learnings below ⤵ Image
Will reveal the answer tomorrow or so, so me liking your tweets doesn't mean you're right necessarily. ☝️
💡Mini solution thread:
Read 4 tweets
WiiMee.eth 🛡🦺 Profile picture
Jul 6
Now I had everyone's attention with the wallet hygiene 🧵:

Time to compare:
etherscan.io and / or revoke.cash to revoke permissions you gave to your wallet address?

Had split the video, because I'm 🇪🇺 and still can't use Twitter blue.

1/2

#SaferNFTs
How to use etherscan.io and / or revoke.cash to revoke permissions you gave to your wallet address?

Had to split the video cause of time limit.

🎶: Calming In The Sun - Alex MakeMusic on Pixabay

Lion animation by: @VonUnruhDesign

2/2
#SaferNFTs
.@RoscoKalis might be some good food for thoughts for @RevokeCash here.
Read 4 tweets
WiiMee.eth 🛡🦺 Profile picture
Jul 3
Why wallet hygiene will become more important!

After discovering a recent scam method, were the attackers don’t get you to sign an approval for all txn – rather then just stealing your signature to buy all your approved NFTs for free – here’s a 🧵& video on it.
1/12 #SaferNFTs
This scam attack isn’t new (was used in Feb 2022 when Opensea changed their protocol to V2) but was found on a site called imposters(dot)in – video to see what it does at the end of this thread, so you don’t have to visit an connect anything to the site.
2/12 #SaferNFTs
Red flag #1 🚩: The site prompts you to connect your wallet before you can do anything on there.
Red flag #2 🚩: After you connected the wallet, it will immediately request a signature, here’s where it gets DANGEROUS. Good thing: We can read the EIP-712 code.
3/12 #SaferNFTS
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(