Smart Contracts and How They Affect Your NFT Security
Smart contracts are digital agreements that execute without a middleman. This allows blockchain users to interact with decentralised apps (and one another) in a “trustless” fashion.
However – watch out! You cannot reverse the action a smart contract triggers once you sign it. This makes smart contracts a popular vehicle for scammers looking to get access to your NFTs under false pretenses. Many scams today trick users into interacting with a malicious smart contract. In effect, the scammers make you open the door to your own assets. This is why understanding what you’re agreeing to is so essential for NFT security.
Blind Signing: Leaving your NFTs Vulnerable
Scammers take advantage of people’s lack of knowledge about smart contracts to convince them to sign rogue transactions. For example, you may think you’re giving permission for buying an NFT, when in fact, the contract you’re agreeing to gives the lucky scammer access to all the NFTs in your wallet.
This is a major vulnerability because crypto wallets can’t always display full smart contract details, making it hard to see what you’re signing. This is called blind signing, and it leaves your NFTs and crypto extremely vulnerable. Even when the details are displayed, it can be hard for the average user to interpret them because they’re technical. In both cases, you are the gatekeeper for your NFTs’ security. Only you can ensure they stay safe.
How to protect yourself from blind signing
The best way of doing this is a two-pronged approach. The first part of this is choosing a wallet that is able to display smart contract details in full, otherwise known as clear signing. This is one major benefit Ledger Nano brings to the space, enabling clear signing for transactions with integrated dApps and platforms. This means that whenever you’re signing a transaction, you’ll be able to see all relevant details, and know exactly what you’re agreeing to. This means there are no surprises, and no hidden intentions.
But doing this effectively also means being able to understand what you’re reading, and that means taking the time to learn for yourself how to interpret smart contract details.
How to Interpret Smart Contracts
Blockchain explorers like Ethereum’s Etherscan are what you use to search smart contracts and learn more details about them. All you need to find a smart contract on a block explorer is the contract address.
There you will find various important bits of information about the smart contract; including who deployed it, and what it does – both of which are important for verifying your own transactions with peace of mind. Understanding these elements can help to detect scam transactions – and save you from signing one.
NFT Security Basics for Web3 : Tips To Avoid Scams
Beyond the fundamentals of smart contracts and transacting, there are also a few rules you need to bear in mind for staying safe as you explore and interact with Web3.
Don’t trust stealth mints,
Don’t follow random links
Only Connect to trustworthy sites and projects and check every website address thoroughly
Following this advice will help you avoid most scams, but let’s take a look at the most popular scams of the moment:
What are the most famous NFT Phishing Scams?
Phishing scams are the most common NFT scam at the moment. For those who don’t know, the term phishing returns to a form of social engineering. It involves bad actors sending messages to people. By design, these messages coax people into revealing private information that compromises their security.
In the case of NFTs, phishing scams either attempt to get people to sign scam transactions, or give away their seed phrase or private keys.
Who Are NFT Scammers Targeting?
Holders of high-value NFTs like BAYC, Doodles, and Azuki are especially targeted in phishing scams. As a matter of fact, even OpenSea has had issues with phishing scams targeting its users too.
Then there are scam NFT swaps. In these cases hackers target people actively looking to trade their NFTs. They reach out to them, usually via Discord or Twitter, and engage in “trade talks”. Then they provide the victim with a phony trade link. If the person goes through with the trade, they can lose not just the NFT they’re trying to trade, but everything in their wallet.
NFT Security on Social Media
NFTs are all about community, and this means a lot of interaction with other community members on social channels such as Discord and Twitter – these are effectively community hubs where a lot of the excitement takes place. But with so many people and so much hype all in one place, these hubs are a great venue for opportunists, and it’s important that you familiarise yourself with the risks you face here.
NFT Scams on Discord
As the default home for most NFT projects and communities, it’s easy to encounter scammers on Discord. Hacking Discord servers often starts with phishing attacks on server moderators and admins. Often, these scammers will contact you via a DM from seemingly legitimate accounts.
Another famous NFT scam on discord asks targets to bookmark a link in Discord. In reality, the bookmarked link runs JavaScript code. Unfortunately, this allows a hacker to take over the person’s Discord account, gaining access to any servers they have permissions in.
Unfortunately, Discord tends to be full of scams.
The number one rule of NFT security on Discord is to turn off DMs from anyone you don’t know. By only allowing DMs from people you accept as friends, you’re already filtering out a majority of scammers. Plus, if you want to know more, check out Ledger’s guide on staying safe on discord.
NFT Scams on Twitter
As the social media platform of choice for the NFT community, Twitter is also a haven for scammers.
While project Twitter accounts have rarely gotten hacked themselves, scammers have taken to stealing or buying other, usually verified, accounts. Then they impersonate a project or project lead, and direct people to some kind of malicious link. This happens the most either before or right after a major project release. This was the case with Yuga Labs’ Otherside mint, Moonbirds and Azuki’s Beanz airdrop.
Make sure to triple check any accounts posting links for any kind of NFT transaction. If a verified account tags your account in a tweet reply amongst a list of others, likely, it’s compromised. Be sure to report and block fake accounts, and never click on any links they post.
What are Malicious NFTs?
A popular scam today involves sending malicious NFTs to crypto addresses. Malicious NFTs are tokens with smart contracts that may compromise a user’s security. These NFTs are usually airdropped directly into people’s wallets, making them that much more devious.
While some malicious NFTs are obvious, some look like stealth mints from major brands, and can leave people fooled. These NFTs can affect you in all kinds of ways, including wiping NFTs and cryptocurrencies from your wallet.
What Should I Do If Someone Sent Me a Malicious NFT?
While malicious NFTs do not have the power to remove NFTs or funds from your wallet, the seemingly great offers on them are too good to be true. In this instance, the person bidding on your malicious NFT will make sure the transaction won’t go through. Annoyingly, most marketplaces have loopholes which allow scammers to bid on an item and then revoke their approvals. Instead, nine times out of ten, malicious NFTs draw collectors in and coax them to interact with separate contracts and websites.
In short, if someone airdrops you an NFT, don’t even bother reading the description. Leave it in the hidden folder where it belongs.
The Biggest NFT Security Vulnerability: FOMO
Not all NFT scams are technical. Just like in real life, some fraudsters rely on getting you all worked up for an idea that just isn’t quite what it seems, and Web3’s notorious FOMO vibes make it a perfect environment for opportunists to deploy these tactics.