Since NFT's are subject to heavy criticism of their existence, a lot of people are developing extra things you actually can do with them. The market is interested in that being done right, so its interesting to be a part of projects that are trying. This extra thing required Thomas sending the NFT to another service they developed. Smart contracts in Ethereum Virtual Machine environments (EVMs) have to be primed to recognize asset. So there is something called an Approval. When Thomas interacted with this contract it did the approval for the NFT, and also an approval for aWETH a token associated with that project.
aWETH is the ticker symbol for a token that project created called Armstrong ETH. The namespace for ticker symbols has many collisions as there are many tokens. So people aren't too worried about that, a token's ID is its contract address which does not have collisions.
In this case, this was the actual phishing attempt.
Their project did indeed use a token called Armstrong ETH, but their approval was for aWETH which is Aave Eth, an asset collateralized by liquid valuable actual Ether. It is also redeemable for actual Ether.
So if Thomas approved the use of their project from his main account, the hacker would have been able to use another function written in their smart contract that leveraged the approval of aWETH (the Aave Eth) to take it all away from Thomas. He has $100m of that.
> a lot of people are developing extra things you actually can do with them
To be clear, the “thing” in this instance is NFT staking: a ponzi upon a ponzi where you buy a NFT and then lend it to a platform, which pays you fees. Platforms can advertise ridiculous yields (200% APY) because deposits go right out the door again as fees to people higher up in the pyramid.
Since NFT's are subject to heavy criticism of their existence, a lot of people are developing extra things you actually can do with them. The market is interested in that being done right, so its interesting to be a part of projects that are trying. This extra thing required Thomas sending the NFT to another service they developed. Smart contracts in Ethereum Virtual Machine environments (EVMs) have to be primed to recognize asset. So there is something called an Approval. When Thomas interacted with this contract it did the approval for the NFT, and also an approval for aWETH a token associated with that project.
aWETH is the ticker symbol for a token that project created called Armstrong ETH. The namespace for ticker symbols has many collisions as there are many tokens. So people aren't too worried about that, a token's ID is its contract address which does not have collisions.
In this case, this was the actual phishing attempt.
Their project did indeed use a token called Armstrong ETH, but their approval was for aWETH which is Aave Eth, an asset collateralized by liquid valuable actual Ether. It is also redeemable for actual Ether.
So if Thomas approved the use of their project from his main account, the hacker would have been able to use another function written in their smart contract that leveraged the approval of aWETH (the Aave Eth) to take it all away from Thomas. He has $100m of that.
Very close one for him.