Newsletter #91

Beware this scam that'll steal your NFTs

Jan 27

>>> FOR DAILY UPDATES, FOLLOW LAZY.COM ON TWITTER, INSTAGRAM AND TIKTOK <<<

This week’s featured collector: ClipCity

ClipCity’s motto is “No idea what I’m doing and that’s the fun part.” And we appreciate the spirit! Their collection focuses on Ethereum profile pics and NBA TopShots. Includes many projects we’ve never seen before. Check it out at lazy.com/clipcity

If you enjoy reading our newsletter, show some love by sharing this post. Thank you!

“I was just hacked…” writes Kevin Rose, the creator of Moonbirds.

A couple days ago, Kevin Rose, the creator of Moonbirds, lost over $1,000,000 worth of NFTs. This is another dramatic reminder that even highly knowledgeable NFT creators and collectors can fall for sophisticated hacks.

This week we are going to discuss what happened and how you can protect yourself.

How was Kevin Rose hacked?

Technically, Kevin Rose was hacked because he signed a malicious signature request that transferred his NFTs to the hacker.

The way the hack works, in simple terms, is that the victim visits a scam website that appears legitimate. The website requests that they sign a transaction and explains that the signature is needed to login or claim an NFT. However, the signature actually gives the malicious site permission to transfer the victim’s NFTs using OpenSea’s Seaport protocol.

The signature request might look something like this:

This signature request gives a hacker permission to steal your NFTs.

As you can see, there is nothing obvious in the signature request that alerts the user to the fact that it’ll steal all your NFTs. This explains why people keep falling for this particular hack.

How can you protect your NFTs?

First, and most obviously, the best way to protect yourself from this hack is by only signing transactions that you trust. The trouble, however, is that hackers are now going to extreme lengths to craft websites that appear 100% legitimate. So it is important to be skeptical of any website that requests your signature.

The reason this hack has been so effective is that the signature request is not written in a human readable format. After all, it is hard to understand that signing a string of numbers can jeopardize your NFTs.

To address this, there are a few browser extensions that aim to make all signature requests human readable.

Two options are the browser extension from Revoke.Cash and Fire. We haven’t fully tested these, so please do your own research before installing.

Fire aims to turn signature requests into a human readable format.

Given the recent spate of high profile hacks, there is a lot of pressure building for a solution at the wallet level. It is likely that we will see MetaMask and other wallets introduce features to protect their users from NFT scams. Until then, stay safe!

This week’s poll: Have you ever lost NFTs in a hack?

Thank you for reading Lazy.com’s Newsletter. Was this post helpful? Show some love by sharing.

🎨 Lazy.com is seeking a UX/UI designer with an interest in NFTs. 🖌

Tens of thousands of collectors use Lazy.com to display their NFTs. Help us shape what they see. Apply now by sending a sample of your work.

We ❤️ Feedback

We would love to hear from you as we continue to build out new features for Lazy! Love the site? Have an idea on how we can improve it? Drop us a line at info@lazy.com

Lazy.com’s Newsletter