NFT Scams are evolving. You open your metamask wallet on Etherscan, and you have a mysterious NFT sitting at the bottom. So you head over to OpenSea to check out if it’s worth anything. You get there and find out the NFT already has a 1 ETH offer! Too good to be true? Let’s find out the latest type of NFT scams on NFT marketplaces.
The Old Way of NFT Marketplace Exploits
On OpenSea, you must approve transactions in order to transfer any NFTs or Ethereum (ETH). The ‘approval’ is a smart contract function called directly on the token contract. By signing the “approval’ function call, you’re basically saying “token contract, please give this marketplace contract the permission to spend my money or NFTs.”
Although this is dangerous, the danger only goes one way. If the marketplace is malicious, approving one contract call can allow the malicious actor to steal your entire collection. Hence, a marketplace that has been designed poorly might have this vulnerability. A good example is the old Wyvern contracts used by OpenSea, where a single malicious actor could steal all your approved OpenSea NFTs. One such hacker stole 10 Azukis, 8mfers, and 3 Mutant Apes with just one signature.
Following this, a website notification might read “click here to animate your ape”, but the wallet transaction will say “SET APPROVAL FOR ALL”, according to DeFi developer and MEV expert, 0xfoobar.
The New Way of NFT Marketplace Exploits
Since the above vulnerabilities were fixed in both OpenSea and other upcoming NFT Marketplaces, hackers can’t take control of your NFTs or wallet. The new fake NFT scams hence take a different plan of attack.
On OpenSea, you approve a contract to spend the ‘scam’ NFT you found in your wallet. However, when you try to accept the offer (for 1 ETH), the offer acceptance reverts with an error. The error message contains a URL that, if you follow, takes you to a site that requires you to sign a malicious transaction.
Stay Safe
Apart from potentially getting your NFTs stolen, you have definitely wasted precious gas. The best way to stay safe on the blockchain is to avoid interacting with contracts and assets you know nothing about. Many people are greedy and will want to spend every new asset that drops in their wallets. This will lead you straight into the hacker’s trap. Watch out for fake NFTs.