Original compilation: 0x9F, czgsws, BlockBeats
Original compilation: 0x9F, czgsws, BlockBeats
This article is based on the views of Montana Wong, the co-founder of Web3 creator tool application Sprise and Pally.gg, on his personal social media platform. BlockBeats organizes and translates it as follows:
"degen meta" is the current trend in the NFT field. The team starts the project in the form of Free Mint, with little or no project roadmap provided. This form is used by such asgoblintownWait for the project to be successful. This pattern is fine in a bear market because Free Mint at least can't lose money.
Scammers take advantage of this. Instead of creating fake projects to defraud your ETH, they create a FOMO atmosphere to induce you to participate in the free "degen" Mint project, tricking you into granting them permission to transfer NFT in your wallet.
Often they start by using legitimate services like Premint to draw prizes for their pre-sale listings. Premint does not do any review of projects using their service, but many people don't know this and think that these sweepstakes are "premint endorsed".
To make matters worse, Premint allows sweepstakes creators to impose certain requirements, such as "must hold 1 Moonbirds NFT" to participate. This can create a fake lottery that pretends to be officially recognized without the consent of the original project party.
During the "White List Pre-Sale", you will still use wallets holding high-value NFTs to participate in minting, because they are needed to participate in the initial lottery. This is where your NFT can be stolen, let's see how this works.
Today there is a new version of this scam"aLL tHiNg bEgiNs”, leading to the theft of several high-value Moonbirds NFTs.
If you go to their website, it looks like a typical shitty Free Mint project with a link wallet and Mint option. But once you dig deeper, you will find that this website is by no means so simple.
The first thing you can notice is that a lot of their site's code is copied fromgoblintownwebsite.
Second, if you look at the JavaScript on the page, there's a file called signupxx44777.js, and that's where the vulnerability is.
Once the wallet is connected, the code kicks in, literally "drain NFTs". However the real purpose of the code is:
1. Browse the contents of your address
2. Use OpenSea's API to determine which is your most valuable NFT
3. Identify your most valuable NFT and find its smart contract information
4. Once you click "mint", it will generate a transaction to interact with the contract of your most valuable NFT. This setApprovalForAll transaction will grant the scammer permission to transfer your NFT
So even though you think you're just executing a typical Free Mint transaction, you're actually allowing scammers to transfer some of your most valuable NFTs from your wallet, plain and simple.
In summary, the exploit works as follows:
1. Build hype around the free Degen Mint project, using legitimate tools like Premint to entice high-value wallets to participate
2. Create a website with malicious JavaScript that scans your wallet for the highest value NFT
3. The fake Mint option will not actually generate a Mint transaction, but will create a malicious transaction that grants scammers to transfer your NFT permissions
4. Repeat steps 1-3 under different "Projects" with the same code
Most of these scams are likely to be carried out by a single person, so be sure to pay attention to safety. If you think you have been affected by one of these scams, you canrevoke.cashOriginal link
