The perpetrator appeared to trick Lawliet into signing fake transactions that granted them access to the his NFTs. They then used this access to transfer the NFTs to their own wallet.
Lawliet took to Twitter saying that 13 of his NFTs had been stolen by the attacker including seven Bored Apes, five Mutant Apes, and one Doodle. In total, Lawliet’s loss stands at $2.7 million based on the floor price of the NFTs stolen from his wallet.
How it happened
The victim’s troubles began when an attacker (likely the same person) took control of the Discord server of another NFT collection called Moschi Mochi to post a fake announcement about an extra mint. The scam involved inviting members of the Moschi Mochi community to participate in an extra mint of 1,000 NFTs for a chance to win a $25,000 raffle.
A look at Lawliet’s wallet address on Etherscan shows that he interacted with the fake mint and sent 0.49 ETH in exchange for 14 of the scam NFTs. Immediately following the transfer, Lawliet’s transaction history shows numerous “set approval” transactions.
These set approval transactions all had the hacker’s “0xD27” address set as an approved address. This meant that the victim was tricked into calling the “setApprovalForAll” call when signing these transactions with his own wallet.
A key thing here is that when someone approves a blockchain transaction via an in-app browser like MetaMask, it’s not always clear exactly what permissions they are giving to the website. In this case, the victim assumed they were regular transactions when in fact he was giving out control over his own NFTs.
There is, however, a feature on MetaMask that allows users to examine the exact nature of their transactions before executing them. T
his step involves clicking the “details” tab which then displays details about the transaction including vital information like addresses being granted approval. But during the rush for an NFT mint, investors may not always check this.
This particular contract call — setApprovalForAll — allowed the hacker to initiate the “transferFrom” contract call which enabled them to transfer all of the victim’s Bored Apes to another wallet. In programming, a call allows a user to execute the code of another contract, in this case, the ability to transfer NFTs from the victim to the hacker.
Once the attacker had permission to control the victim’s NFTs, they started moving them to a different wallet. The hacker was able to use this method to take the Bored Apes and other NFTs including Mutant Apes and Doodles.
Possible preventative measures
Owners of popular NFT collections like BAYC continue to be targets of social engineering attacks aimed at stealing their valuable NFTs. As of the time of writing, the collection has a floor price of over 118 ETH ($320,000).
In response to incidents like these, security experts generally advise the use of “burner wallets,” addresses that contain only a small amount of funds to cover gas fees. Thus, if the transaction happens to be a phishing attack, the victim’s loss will be significantly limited.
Verifying transaction details before approving might also be a useful preventative measure. As Tal Be’ery put it, approvals should only go to “trustworthy contracts” with relatively long transaction histories. Web wallets like MetaMask show details of transactions and can be a useful tool in spotting phishing attacks.
Read full story on The Block