Premint, a popular NFT whitelist service, has recently been compromised. As a result, $ 400,000 NFTs were stolen in several collections.
Web3 As a user of the NFT Whitelist Service, you have the potential to become a high-risk frontier that requires a high degree of security thinking to survive. Premint, Learned the difficult way when a malicious (but suspicious) login link stole an NFT.It’s not possible to steal blockchain tokens directly from a crypto wallet, so it’s smart Hackers / scammers should use phishing attacks User ignorance to steal tokens. Users can use Web3 operational security (or “”opSec“), And by being skeptical and careful when asked to submit a transaction.
Non-fungible token (NFT) collection It’s an effective way for new projects and influencers to raise money from investors and fans while building a community. This is often “Premint“It’s a phase where people sign up raffle and become one of the first waves of buyers / recipients, and bots are often created to unreasonably increase the odds of winning one or more spots. Yes. Premint is NFT. “Whitelist“A service that allows you to set custom criteria to be verified by creators (“Whitelist“) A wallet that can participate in premint (ie, requires social media verification, has sufficient cryptocurrency balance, and / or owns another NFT), and collectors win which premint I have a dashboard that reports what I did. Unlike NFT marketplaces such as OpenSeaPremint does not manage NFTs, facilitate transfers, and does not require sending transactions to use.
according to CryptoSlate, On July 17, a malicious login link on Premint’s website stole an NFT of about $ 400,000 from a user’s wallet. Premint’s official Twitter post Claim An unknown third party manipulated a file on your website and displayed a malicious wallet connection prompt. Authentication by wallet is normal for Web3 logins, but the prompt instead initiates a suspicious transaction. All victims had the opportunity to reject the transaction, but those who confirmed it gave the attacker’s smart contract full permission to transfer all tokens from many NFT collections to the attacker’s wallet. Gave.
Last night, a malicious wallet connection was presented to the user because the file was manipulated by an unknown third party in PREMINT.
— PREMINT | NFT Access List Tool (@PREMINT_NFT) July 17, 2022
OpSec is important for Web3
In the world of Web3, blockchain, and distributed metaverse, Users need to practice some opSec with sound skepticism. Malicious transactions can be indistinguishable from benevolent transactions and can be described as “Burner wallet“If such a transaction is mistakenly identified, it is highly recommended to mitigate the damage. In this dual wallet system, the burner wallet will send the transaction, collect token airdrops and the new Web3. Acts as a disposable account to test the app for the first time. Transfers all unwanted tokens received to the main wallet. In return, the main wallet acts like a savings account or a secure deposit account and interacts with the Web3 app. I rarely do it. Phishing attacks to steal tokens..
We still don’t know what will happen to the stolen NFT, but unless it is returned to the owner, it will be a devalued black market item. Not available for sale at OpenSea reported stolen For their full amount until they are returned. Hackers need to rely on the decentralized NFT marketplace to sell stolen tokens. This expects the person who buys the token to not check the token ownership history first.Hopefully the victims will receive compensation for their losses, other users and projects will pay attention for the future, and Premint You can determine what happened and explain how a third party can access your production code base.
sauce: CryptoSlate, @ PREMINT_NFT / Twitter
About the author