This sort of thing is as old as crypto itself - see e.g. "How to steal Bitcoins" with some excellent HN comments (including from one of the thieves referenced in the original article) from 8 years ago: https://news.ycombinator.com/item?id=7365663
It's not clear exactly what's going on here. The word "connect" by itself implies two modes: (1) present public keys; or (2) present private keys. But the loss of property suggests it's (2). If so, then the people falling for this are hopelessly incompetent.
Of course, this has been a problem from the start of Bitcoin. Users "buy" something they have no clue how to secure. They don't understand at all how public key cryptography works, or worse, they bring truly bad mental models from their experience with their online bank or Facebook. Then they get burned. Nothing new here.
It's for this reason that central bank digital currencies are one the the worst ideas ever to come out of central banks. The average person is in no position to even think about managing cryptographic material let alone securing life-changing amounts of money with it. Idiot-proofing CBDC will mean that the central bank just becomes an actual, central, bank. No crypto required. A real one where people actually keep their money. So long to private banks.
the wallet in question is probably metamask, a browser extension. it injects a web3 provider in `window.ethereum`.
connecting the wallet is done by calling `window.ethereum.enable()`, this pops up a dialog asking you to connect an address to the website. it just tels the extension that the website is allowed to interact with the extension
This article is about phishing in the context of cryptos.
Silent signing doesn't happen (unless there is some kind of bug in metamask). the user is always presented with the contract address and call data (the args to the contract call)
I have a CS degree and have worked at FAANG for 6 years and that was straight gibberish to me. I guess maybe because I have only worked at FAANG using traditional tech and not crypto startups?
I think that explanation was just a little too jargony.
If you have the Metamask browser extension (or another compatible web3 extension) and press its browser button to enable it while on a webpage, then the webpage can see your wallet address and suggest transactions for you to make. When that happens, the browser extension then shows a window under its own control explaining the transaction and allows you to choose to sign or reject the transaction.
The webpage never sees anything about your wallet if you don't activate the extension on the page specifically, it never sees your private keys, and it can never silently sign a transaction from you.
If somebody sets up a phishing website in the US with intent to steal funds, they are equally as liable whether their target is a crypto wallet or Apple Pay.
I work in a 100yo investment bank and am quite familiar with how it all works and yet, even if I didnt just work in a technical-centric company like you but a business and finance-centric one at that, I still think it's gibberish.
Worse, I learned to decode what they refer to talking like that and I still dont see a point: to the gibberrish or to the whole concept.
I bet a whole lot of your day to day technical and administrative work is gibberish. Your yearly evaluation alone probably would require training for an outside person to understand.
Which is to say... don't assume jargon is pointless.
>'Multiple slurp juices on a single ape' meme perfectly captures the stupidity of NFT culture
>If I know anything to be true is this mixed-up world, it's that ape holders can absolutely use multiple slurp juices on a single ape. Any fool knows that. It's as simple as two plus two equals four. An ape holder can use multiple juices on a single ape; this is fact.
It's reminiscent of conspiracy theories. You can sit there and untangle the jargon until you understand all the oblique references to events, and it's still nonsense.
Some js code makes a popup window appear for user to enter a transaction address (like bank details) so they can clicky click on it. Then it shows those details to confirm.
Is that simple enough for a senior FAANG engineer?
All connecting a wallet does is allow the app to see your public keys. Private keys are not directly exposed. The app can then request the user sign transactions, but they must be explicitly approved by the user.
Where fraud typically happens is when a user thinks they're signing an innocuous transaction, when in fact they're signing a malicious one. This is generally a hard problem, but it's very clear from the wallet the address of the smart contract your transaction interacts with.
Depends on the type of wallet. If its a web wallet the keys are in the browsers data store that the wallet extension handles. The keys could also be on a separate hardware wallet that is completely separate from the computer you interact with and requires physical button presses on the hardware device. Could also be that you are in a view only mode and just connecting with an address and you don't even have the keys on you.
Your entire response is based on false assumptions. "Connecting a wallet" and "signing a transaction" have defined meanings, and are not related to revealing a private key. Also, CBDCs are in no way related to cryptocurrencies, they don't even aim to be.
CBDC has never been about blockchain or cryptocurrency. That's what the first "C" means, and why the "D" isn't a C". It's Venmo or Zelle but run by the government bank.
> In our design users interact with a central transaction processor using digital wallets storing cryptographic keys. Funds are addressed to public keys and wallets create cryptographic signatures to authorize payments. The transaction processor, run by a trusted operator (such as the central bank), stores cryptographic hashes representing unspent central bank funds. Each hash commits to a public key and value. Wallets issue signed transactions which destroy the funds being spent and create an equivalent amount of new funds owned by the receiver. The transaction processor validates transactions and atomically and durably applies changes to the set of unspent funds. In this version of our work, there are no intermediaries, fees, or identities outside of public keys.
There are two attack vectors described in the article.
1) When you "connect a wallet" what you are actually doing is signing a message from the site using your private key. They can verify it using your public key to prove you control that wallet (ie it is just a normal message signing process). This process involves your wallet (often via a browser extension) popping up a message giving you details of what you are signing and buttons to approve or reject.
Because lots of sites send a very unhelpful message that is just a big json token for people to sign, and because browser extensions are wonky leading to lots of requests to connect and reconnect and re-reconnect your wallet, people often get in the habit of not checking carefully what they are signing.
The fundamental UX problem arises because the flow for authorizing a transaction is exactly the same - you sign a transaction approval using your wallet.
Can you see the problem here? It's easy to accidentally approve a transaction which drains your assets when you think you're just approving a message to connect your wallet.
2) Secondly there is a classic phishing attack against the private key. If an attacker can pretend to be a legitimate site they can apparently sometimes persuade people to paste in their recovery phrase which is equivalent to their private key. If the attacker has the private key of course they don't need anyone else to approve the transactions which drain the wallet, they can do it themselves.
There's another attack vector I have heard about which I don't think is in the article but is more pernicious. I'm not 100% sure of all the details but it's sort of a variant of #1 with extra tabasco. It starts by sending someone a token with malicious code in some of its methods (say the 'transfer()' method which is used to send the token to another address). This code is set up to drain the wallet of the owner of the token.
So say the recipient of the token attempts to transfer the token to another wallet (or 'burn' it, which is just a transfer to a specific black hole address), they will be presented by their wallet with a normal-looking transfer approval method to authorize but unbeknownst to them (because they are approving untrusted code) they are actually authorizing the attacker to drain their wallet. The attacker can make it more likely a person will attempt to burn a token by either promising that burning will turn the token into something else (this is common in this world as a method of transforming things) or by making the content of the token really unpleasant so people want it out of their wallet (I think someone tried this with me - that is I got sent an unsolicited token with a pretty horrible animation that any sane person would want out of their wallet and it can't be burned because it is unverified code so there's no way of knowing whether the transfer method is trustworthy).
The same attack can be run using different methods and it will operate should the recipient try to list their new token on an exchange.
The remedy for this is that legitimate issuers can "verify" their code by publishing it and since the resulting bytecode checksum is the same as the checksum of the token people can be confident that they are seeing the real code. You would still need to actually check whether the code was doing anything bad to know whether it was safe to interact with such a token.
I am honestly mind blown that a scam tool like this isn’t minified and uglified to obfuscate reverse engineering. The process also strips comments, which I imagine would’ve been a preference of the perpetrator.
I assume the example from the author [of the blog post] must’ve been a deployment by someone without much experience with the javascript ecosystem or extremely lazy. Pretending this assumption is correct, what does it tell us? Is it a reflection of the environment’s lack of regulation (even industry/market led, like PCI) and a deluge of unsophisticated (ignorant) users/consumers?
Hi, author here. I liked this comment a lot and I can help to shed some light:
We do see phishing pages like this increasingly popping up with obfuscation. I think at this time less than a third are obfuscated, but this is gradually increasing. The thing is, most of the folks running these sites are likely not very technical. They buy the template from a vendor and plug in the config settings and just focus on driving traffic to the site - this happens through Discord & Twitter spam.
The thing with fraudsters and threat actors that play in this space is that at the end of the day it's a business and they want maximum reward for minimal effort. I think right now there's not a very aggressive takedown feedback loop with these phishing sites, but we are working to accelerate this and as this happens the perpetrators WILL need to rely more on obfuscation to try and thwart on the fly static detection. My guess is that eventually most of the logic will be server-side and cloaked as has happened with many other categories of phishing and fraud (particularly malvertising campaigns). Sooner or later the more amateur scam operators in this space will likely get shaken out by this acceleration of the cat and mouse game and only highly technical operators will be left.
With regards to the sites that we see obfuscated today, we are still able to do accurate attribution, as we've been specializing in the detection and blocking malicious client-side code for some time now.
Transcript: "Signing this message can have dangerous side effects. Only sign messages from sites you fully trust with your entire account. This dangerous method will be removed in a future version."
Presumably part of the issue is that a legitimate "NFT mint" transaction might also carry the same warning.
There is a difference between signing a transaction and signing a string. The warning you have linked pops up when a signing of a string occurs and warns that if the person embeds a transaction in that string you are signing whatever transaction they have made.
There is a new method they have for signing strings that does not allow a transaction to be signed so its safer.
The crypto drainer seems to directly be sending the NFTs and assuming that the user cant understand the transaction and what its actually doing.
Perhaps the next inception is the NFT-drainer-siphon-drainer that spoofs the collection and botnet sites to trick the scammers into relocating funds into the wrong place. At some point, fencing these worthless NFTs will be needed.
Absolutely baffling that the crypto community normalized this process of connecting your wallet to a random website and letting it access all of your money.
I see a lot of victim-blaming suggestions that it's the fault of the person who didn't set up a new crypto wallet for every interaction they might want to make and then transfer enough money into said wallet to cover unpredictable gas fees (while also paying gas fees to transfer the money) and then, presumably pay even more gas fees to transfer everything back out of the wallet if it turns out to not be a scam. It's incredible that crypto has reached a point where some people seem to think this is all totally reasonable and natural to expect the average user to know.
The parent is probably thinking of websites which make use of ERC20's 'approve' method, which "Sets `amount` as the allowance of `spender` over the caller's tokens."
It's used by a lot of DeFi apps, often with an unlimited amount. It doesn't give control of the tokens to a website, but rather to a contract. It's fine if the contract is secure and immutable, but of course that's not always the case.
It is easy to create a site that asks you to provide your wallet private phrase. The DNS MyEtherWallet hack that I vaguely recall exploited this.
On the other hand, good crypto citizens will just use the web3 library that will request permissions on an ad-hoc basis from your wallet extension (such as MetaMask).
However even then you can scam someone using social engineering: Just tell them "how" to do XYZ. E.g. "To get your free mini-monkey NFT, just connect your wallet with your bored ape, and when the confirm box pops up from metamask just click OK".
The fiat equivalent of course is a site that asks you to log into paypal and send them $1000 - but that is way more obvious than the crypto equivalent, where you interact with a smart contract and it isn't necessary clear ahead of time what will happen. Especially as smart contracts might be used for, for example user registration. If the user registration endpoint asks for money then you could get scammed that way.
What does a user see? How should a user investigate a transaction to check what it does? Is there any good automated explanation/visualization of the effect of a transaction?
When a site initiates a transaction, you can see the address you're interacting with. You should then look up the address on etherscan to see if it has public code and a lot of transactions. Then you should search that address in google and see if the main site links to it. A lot of projects have a list of addresses in their github. You can also inspect the function code. Once you're comfortable, you should add it to your saved addresses on your wallet and next time you'll see the name of the address.
Also you can create a new throw away address, transfer just a little bit of coins to it and interact with the contract. If it does what you think it should do, then you can create a new account and do it again.
It's not perfect. It could be a proxy, so you're not guaranteed the contract you're interacting with.
There's no easy way to "see what a transaction does". You just need to do risk management.
> When a site initiates a transaction, you can see the address you're interacting with. You should then look up the address on etherscan to see if it has public code and a lot of transactions. Then you should search that address in google and see if the main site links to it. A lot of projects have a list of addresses in their github. You can also inspect the function code. Once you're comfortable, you should add it to your saved addresses on your wallet and next time you'll see the name of the address
> Also you can create a new throw away address, transfer just a little bit of coins to it and interact with the contract. If it does what you think it should do, then you can create a new account and do it again.
How much money would you be spending on this scheme (in transaction fees)?
Any suggestions for how this could be scaled up to the general public (the vast majority of whom aren't comfortable reading code and have no idea what github is)?
There may be a public repo of known addresses. Of course it would be centralized and carefully curated, but I think that would be a good start.
I wish wallets made it easier to create a burner throw away account or there were some trusted contracts that would create an account, do something and then transfer back to another account. I don't know if anything like that exists or even if the workflow is generalizable enough
I'm currently building in the ability to inspect a transaction's effects before it is run directly into MetaMask. So... we'll alleviate some of the problem Soon (TM)
There is nothing about crypto that prevents scams.
But in the regular banking system we have decades of experience in how to mitigate the impacts of them e.g. account insurance, MFA for any new transfers or over a certain limit, auditing by independent regulators.
Crypto attracts a lot of statements like this and it's so ridiculous when you think about it because usually the statement applies so generally as to be virtually irrelevant. Almost every invention or new thing solves a problem that was solved already, and yet they often find success and may even become more popular than whichever way people were using to solve that problem before.
The tech community should be keenly aware of this because there are new apps, new languages, new libraries, new plugins, etc all the time, which solve a problem that was pretty much solved already.
You might counter that new things usually have to have some value proposition to gain a footing, like cheaper, faster, more reliable, etc. For one, that's not always true, but also crypto does have a value proposition like that. It's immutable, trustless, and can be anonymous. And it is even cheaper and faster than the regular banking system in some circumstances, depending on the sum being sent and where it goes.
It depends on the website and the wallet, but either way the wallet app tells you what permissions it's giving the website. My guess is people don't pay attention or think about it. But it's not as parent described "the way the crypto community designed it". It's actually the opposite. The crypto community designed wallets that give you control over what third parties are allowed to do with your accounts. It's a lot more than what debit cards offer (I say debit cards because credit cards do of course offer a good rollback system).
Last year I had about $6k stolen via a compromised debit card and spent on some fly-by-night crypto exchange. The money was rolled back to me by the bank; no idea what happened on the crypto exchange side.
The difference is with a debit card you are out the money until it gets resolved. With a credit card you aren’t. But most banks will extend the same fraud protections regardless.
To be clear though, if the issuer doesn't impose its own limitations on cardholders' liability, there are still limitations based on Federal laws, and these are different for credit and debit cards. For credit cards it's a simple "liability shall not exceed $50" rule. For debit cards it depends; it can be unlimited in the case of "failure of the consumer to report within sixty days".
So it's safest to just avoid debit cards, unless you know that the issuer has their own legally-binding limits on cardholder liability.
I think debit cards are more variable with bank and perhaps jurisdiction - credit cards somewhat naturally come with such protection since as a user your agreement is with the issuer (and hand wave, hand wave, ability to authorise payments) not the vendor.
Your bank irrespective of whether it's a savings account, credit card etc will almost always insure you against fraud provided you didn't do anything reckless e.g. write your PIN on the card.
> My guess is people don't pay attention or think about it.
This is a well known fact in secure system design. Most people just click through dialogs. If you must get their attention you have to make the dialog huge and scary but then people will usually just turn back instead of reading. Scary dialogs make it seem like you should never say OK.
“Undo” is powerful in any app, not just because it can roll a change back with a single click, but because scary dialog boxes (“Really, really REALLY delete this file? It can not be recovered once deleted, so check this box saying you know what you’re doing before clicking OK”) don’t work for regular apps, either.
On whose authority and why? In this case the customer was promised a product they didn't get. And with traditional banking usually it's the other way around, businesses have to live with chargebacks for products they sell to people with stolen card info.
Always someone getting burned, but in this case it's the "idiots" for lack of better word. Don't try to make cryptocurrencies work like fiat, that's exactly the kind of problems they're trying to solve.
And let's say someone implements your solution, years later you will read how a bad actor did a chargeback for all the coins in those contracts and you will claim it was a retarded feature from the start.
You didn't even explore any of the options for different types of "undo" operations that could be possible in contracts. You seemed to simply assume recreating the exact same situation that exists in traditional finance and responded based on that.
There are several other ways of doing it that I can think of, all with their own pros and cons. There are even a couple that have already been applied in crypto that I can think of and I'm sure many that I'm not aware of.
And why would you assume I even meant "reimplement traditional chargebacks as they are today"? My recommendation: Hold off on forming strong opinions too early in the process of learning about something.
How about an example? I still don't see how it's possible in a decentralized system but go ahead prove me wrong. I'm not trying to be offensive I'm genuinely curious.
Users might think to themselves, I give my credit card number to all kinds of sites; how is this any different?
The internet has kind of conditioned all of us to be OK with passing around complex payment instruments without paying too much attention. If you're a hardcore believer in cryptocurrency as a political project, you almost certainly understand the difference and see the "code is law" dark forest as a feature, not a bug. But if you started buying crypto and NFTs because Matt Damon and Larry David told you to, then you're in for a world of hurt.
The crypto space is rediscovering the financial system from first principals. At least by the end they can hopefully appreciate that the original government controlled system actually works the way it does for a reason.
> At least by the end they can hopefully appreciate that the original government controlled system actually works the way it does for a reason.
"A religion cannot fail, it can only be failed"; I admire your optimism, but I expect that the true believers will not question whether the premise of cryptocurrencies is wrong, but rather will twist themselves in knots to find new scapegoats as to why it doesn't work the way they expected.
All of these scams, crashes, and exploits are things that happens previously with regular currencies and have since been regulated away. Now crypto comes in with unregulated currency and runs in to every issue the regulations existed to prevent.
These scams, crashes, are exploits are non-issues to anyone with a reasonable degree of competence and skepticism. The solution is not to "fix" the system by removing user agency so that even an idiot can use it safely, but to educate users so that an idiot doesn't need to use cryptocurrency in the first place.
This criticism of cryptocurrency would be analogous to criticizing the concept of fiat currency by pointing to the inflation of the deutsche mark as an example. The cryptocurrencies being discussed here are real cryptocurrencies, they are bloated and useless shitcoins. Any credible project would not have all the bloated crap that enables the "exploits" mentioned in the article in the first place.
You can't both want crypto to have a real, material future and also simply blame the user for everything they get wrong or don't bother to educate themselves on.
If it's harder and riskier then the user isn't going to care if it's their fault or not.
Do you want a world where crypto is common and useful, or do you want it where it's the web equivalent of casinos, with some sharks making money off suckers but most people not taking it seriously as a "real" or useful business?
>You can't both want crypto to have a real, material future and also simply blame the user for everything they get wrong or don't bother to educate themselves on.
I can and I will. People know not to give out their credit card numbers to fishy businesses or install untrustworthy software on their computer. Why does that personal responsibility suddenly disappear when we talk about cryptocurrency?
>Do you want a world where crypto is common and useful, or do you want it where it's the web equivalent of casinos, with some sharks making money off suckers but most people not taking it seriously as a "real" or useful business?
The path to the world where crypto is a common and useful tool starts with these speculators and gamblers losing all their monopoly money and leaving. It's no surprise to me that the "scams" and "exploits" mentioned in the article are enabled by bloated "smart contract" cryptocurrencies like etherium that serve little real purpose.
It's pretty well known that individuals _do_ need protections against this while institutional investors do not. When crypto gets on the news, regular, uninformed people go and dump their life savings in to it. No matter how much you tut tut and say they should have done their research, they will still do it. And preventing people from losing their life savings on scams is good for society in general.
No. If you invest your money in something you do not understand, you deserve to lose it. I'm sorry you think that you need some authority to put their thumb on the scale and tell you what you can and can't do with your own money.
Why do you believe that victims should be punished? Wouldn't it be more compassionate to recover their losses and punish the perpetrators? Trust shouldn't be seen as a weakness. Trust powers all the best things humans can do. Trust should be rewarded, not punished.
>Why do you believe that victims should be punished?
I don't believe victims should be punished. I just don't think victims should be rewarded either. I do think that the perpetrators should be punished.
>Wouldn't it be more compassionate to recover their losses
It would be "compassionate", but it would also encourage people to make risky and stupid decisions. Tough love I suppose.
>Trust shouldn't be seen as a weakness. Trust powers all the best things humans can do. Trust should be rewarded, not punished.
There is a difference between knowledge, trust, and blind faith. Your inability to discriminate between the three is what allows you to mix these unrelated platitudes.
> It would be "compassionate", but it would also encourage people to make risky and stupid decisions. Tough love I suppose.
What you call tough love, I call inflicting trauma that makes everyone worse off. No one should ever risk being destitute. There's no societal benefit to risks with a downside of total loss.
And that's why I think your comment of blind faith was a non-sequitor. I'm not advocating for blind faith, I'm advocating for informed faith. I think we should have an informed assumption that the risk in a scam is on the part of the scammer. When something blows up, the scammer pays. Let's go ahead and reward people for blowing up scams from the inside.
Do you feel the same way about violent crime? I.e., if a person through their own stupidity or naivete puts themselves in a position where they become a victim of armed robbery/assault/murder/rape, did they get what they deserved?
only to the extent that the violent crime is preventable. Ultimately, the victim bears the risk and the rest of society will do what they must (policing, self-defense, investigation, justice, compensation) after the fact to prevent future victimization themselves.
In the case of crypto/investment fraud, you have to take into account that all investments and transactions bear a certain amount of risk and reward. It's not fair to expect the public to bail you out for risks that you knowingly accepted when they wouldn't get a slice of the reward. In the conventional financial system, the public sees a slice of that reward through taxation. The same is not true of cryptocurrency, so why use everyone else's tax dollars to regulate it?
The only reason authorities like the SEC exist is to reduce risk, thus increasing the amount that ordinary people can safely invest. It's not a matter of ethics, it's a matter of economics.
> In the conventional financial system, the public sees a slice of that reward through taxation. The same is not true of cryptocurrency, so why use everyone else's tax dollars to regulate it?
You should maybe run that past a tax attorney just to make sure. I'm in the US, where capital gains from cryptocurrency are taxed just like capital gains from stocks, but of course this may not be true in your jurisdiction.
> The only reason authorities like the SEC exist is to reduce risk, thus increasing the amount that ordinary people can safely invest. It's not a matter of ethics, it's a matter of economics.
I don't think that's correct, but if it is, yeesh! What a bleak hellscape we live in, where the only reason to add safety to anything is to prevent the plebs from getting too scared to spend money.
I take it from your responses that you're one of the "hardcore believers in the 'code is law' dark forest" mentioned in an earlier comment, so I guess we'll just have to agree to disagree.
The point is that cryptocurrencies are not secure nor dependable in the way that people actually need them to be, and they don’t solve any of the actual problems that people have with the banking and credit system.
Cryptocurrencies are secure and dependable in the way that I need them to be and they solve problems that I have with the banking and credit system.
I mean, really. The security of the banking/credit system is not even based on public/private key cryptography. There is no notion of a separate spend address vs a sending address. Anyone with access to your (usually open source or easily findable) information can make a transaction on your behalf. Identity theft is a massive problem which is enabled by the current state of the industry.
I’d probably blame the victim if they kept their USD as 1 dollar bills scotch taped to the outside of their clothing though.
I think it’s the nature of crypto that part of the benefit comes from the cost of it being up to the individual to maintain. Selling a product/service that consumes crypto or holds it easily might be the answer (like a bank is to usd), now the individual is giving up the keys though.
There’s a trade-off there that is very cool because it only exists because bitcoin adds the option of more reliably securing the money “all by yourself” rather than needing a bank due to physical limitations.
In that sense there are many crypto holders out there that may wish they had just kept it on Coinbase…
TLDR the cost of having it be serious to use crypto is well worth it for the power and value of crypto itself, it’s like the cost otherwise paid to run a bank, put into a different form, the average economy of carelessness
>Absolutely baffling that the crypto community normalized this process of connecting your wallet to a random website and letting it access all of your money.
Is it worse than browsers+OSes allowing you to download and run a program? Or Github or npm or browser extensions? All 4 of those could steal all your crypto too if you install them.
It's one thing to have complex payment instruments where innocent mistakes are reversible. Having them in a world where everything is permanent is another situation entirely.
The fact that gas fees even exist just boggles the mind.
Bank fees at least on paper pay for overhead of running the wire transfer system. Gas fees (to my uninitiated understanding) literally just pay for the excess waste that is Ethereum, by design.
It turns out you're not the first person to realize that this is an issue. If you'd actually read up on cryptocurrency wallets before commenting, you might have found there are multiple solutions for this out already, including one of the most popular Ethereum wallets called Argent, which let's you set limits.
Basically the fraud described is a twist on the classic "Musk giving away BTC" scam that's all over Youtube because Google is apparently unable to prevent it. You have to be fairly naive to fall for it in the first place. But ok, no victim-blaming. The way you can prevent it on smart contract platforms is simply holding the funds in a smart contract that allows users to set restrictions so that they couldn't take that expensive NFT even if the user mindlessly clicks on a fishing link, connects the wallet and approves the transaction without checking what it is. Same as having a withdrawal limit on your bank card. And you can also whitelist wallets, the contract then automatically blocks any transfers to untrusted wallets. If the user manually overrides this by getting his guardians to agree, there's no stopping them of course.
Ultimately you won't be able to protect everyone. A determined enough fool can also go to Western Union and mail money to the scammer. In the US they have those prepaid card scammers. Or they come to your home, telling you they're police and need to inspect your valuables. Yes, that's a real actual scam that exists in Europe.
> If you'd actually read up on cryptocurrency wallets before commenting, you might have found there are multiple solutions for this out already, including one of the most popular Ethereum wallets called Argent, which let's you set limits.
You're making a great example of the victim-blaming I mentioned in my comment: That anyone who is surprised by their money disappearing clearly just didn't do all of the right research and use the right wallets and set all the right options to set the right limits and so on and so on.
Obviously there are right ways to navigate the crypto space and not get burned, but the issue is that the crypto community seems to think it's okay that everything is complicated and prone to new users making mistakes that people are routinely losing huge amounts of money due to not being 100% up to date on the right way to do everything.
> The way you can prevent it on smart contract platforms is simply holding the funds in a smart contract that allows users to set restrictions so that they couldn't take that expensive NFT even if the user mindlessly clicks on a fishing link, connects the wallet and approves the transaction without checking what it is.
Yep, sounds easy. To avoid losing everything you just have to set up a smart contract and then...
I can't believe this stuff passes for reasonable suggestions in the crypto world.
You ignored the part about how people are scammed using credit cards, cash, wires, etc. The problem isn't crypto - it's dishonest people developing scams to trick others into sending money. I'd bet that far more money is lost in scams using methods that don't depend on cryptocurrency rather than the ones that do. Just like with those other scams, education is a very important part of prevention.
With other scams, it’s supremely hard for scammers to cash out without a clear identity trace to follow. As a simple example, the huge explosion in ransomware is directly linked to the rise in cryptocurrency, because prior to that getting paid for ransomware was much tougher.
With Crypto, payments are irreversible, all transactions are transfers, all payees are equal (no merchants for payments and P2P for transfers) and it all combines together to be the perfect scammer heaven - you can scam people without any repercussions anonymously.
It's an app that you download and setting up is so easy an 8 year old can do it. No one has to deploy a smart contract on their own, you just go to the app store and install it. It's inexplicable to me why someone would complain about software they've clearly never used or even looked at.
Of course people can use other wallets if they like to. These are open networks just like the internet itself. No one can stop folks from doing dumb stuff online, input their credit card information where they shouldn't, wire thousands of dollars to a "girl" overseas who "loves" them, visit shady sites with their outdated Internet Explorer on a WindowsXP machine... Why didn't Microsoft prevent this!?
> The way you can prevent it on smart contract platforms is simply holding the funds in a smart contract that allows users to set restrictions so that they couldn't take that expensive NFT even if the user mindlessly clicks on a fishing link, connects the wallet and approves the transaction without checking what it is.
Yes, so simple! Just put your coins into this website’s smart contract and you’ll be much more secure.
Btw yes, from a user perspective it actually is very simple and easy to use. It's a good wallet for beginners. Most who're more active and understand the tech have hardware wallets. You could combine the two solutions as well.
Do you explain TLS to casual internet users? I'd like to see that.
The regular non-tech savvy user doesn't necessarily have to understand the details. That's why people are working on such solutions in the first place. Someone experienced with blockchains would never connect their wallet to a random stranger's and approve draining their funds. However the massive hype around them has brought in a lot of new users.
Wallets have come a long way from people writing their private key on a piece of paper back in the early days. The above complaint is bizarre in this context, because what they described is the exact opposite of what's actually happened. Every reputable wallet team has worked hard on improving security over the past years using strategies like social recovery, multi sig, cold storage of keys, etc.
> smart contract that allows users to set restrictions so that they couldn't take that expensive NFT
If they got someone to execute a malicious transaction, couldn’t the scammer just `curl etherscan.io/VICTIM`, get the restriction amount and go just under that? With normal banking, everything is closed so you can’t access that kind of information that easily, but since crypto is so open, isn’t this possible?
This is why you use a reputable website, like Coinbase, despite the outrageous fees. They have a brand as collateral if they fuck up. They had that crazy early growth rate, and at the very least the dot-com of a word Satoshi coined, and he's coined more wealth than literally anybody. Modern day Croesus of Lydia. Literally as rich as Croesus.
People think of history like it was wonderful, but it was full of cons and scams. Reputation matters, and people with reputations charge a premium for it.
Some of the best aspects of regulations is exactly to remove the reputation tax by mandating everyone follow the same practices as the trusted institution.
The real sad aspect is that the crypto-libertarians of today are repeating some of the exact same clear scams from the wildcatting era, and when it's brought up, it's just mocked because, honestly, who is going to read a book about 19th century finance when you can just watch the new star wars show instead.
btw "bad regulation" is usually due to regulatory capture [1] whether in legislation (ie, regulation without teeth, designed to fail) or in practice (ie, revolving door/corruption).
Which usually points back to the companies/industries being regulated.
The problem with democracy and regulations both come down to essentially sovereign financial powers (wealthy/corporate) that have interests that don't align with the people or the state that is supposed to represent the people.
These corporations control us if we don't control them.
The problem with democracy is the dunning-kruger effect more than the principle-agent problem. People think highly-complex problems are obvious and easy. They care more about big sweeping theory than they do about local technocracy.
The idea that anti-intellectualism even exists is testament to this.
Gonna say something that would likely be downvoted but a functioning society does not need democracy. A governing body needs legitimacy because it's power springs from the people, but democracy and voting are not necessarily requisite.
e.g. China/CCP (which isn't really communism, but definitely not democratic).
How is regulatory capture a problem of democracy? Surely you only need a regulator and a party to capture them?
For example, what's stopping a company in China lobbying a minister for regulations that harm their competitors? The Minister may not have been elected through democratic means, but regulatory capture can still occur.
I didn't mean exclusively. I meant it's an existing problem, the distance between the regulator and the authority, which in democracy is quite distant, but in other form of government can also be quite distant.
> […] when it's brought up, it's just mocked because, honestly, who is going to read a book about 19th century finance when you can just watch the new star wars show instead.
Modern-day anti-intellectualism FTW! I know, I know, commenters will argue that this is mainly a laziness problem… But when has it ever been “cool” to read (in the sense of being socially incentivized broadly speaking)? To quote a modern day (retired) twitter poet: “Sad!”
Again, the purpose of blockchain-as-capital is exactly to escape regulatory requirements. One of the main reasons why we are able to use the banking systems like we do, is the ability, generally, to unwind translations that were fraudulent. There are also disclosure forms that must be presented as a double-check, to transactions that cannot be unwound.
With most blockchains, this is entirely not feasible. The irony is that many of the brokers will likely be swamped by regulation going forward exactly because people will be unhappy with the lack of these types of disclosures.
No need to condescend-- the gap isn't that I didn't read what you wrote, or even that I disagree. Your point is just unrelated to the situation we're talking about.
A wallet is not like a bank. It's like.. well, a wallet. If you hand a wallet full of cash to a thief, no banking regulation will protect you. The tradition digital equivalent is a Visa gift card or Western Union.
I absolutely despise crypto scammers, but looking at those asinine graphics they use to lure in their suckers, it make it VERY VERY VERY difficult to have any empathy for their victims.
If that whole "Amazing Pandaverse" theme template appeals to your aesthetic sensibilities and primal urge to get rich quick and screw everyone else and the environment while wearing kewl sunglasses and dollar sign bitcoin logo bling jewelry, you're probably a huge narcissistic douchebag who actually deserves to get the fuck scammed out of you, not a poor innocent senior citizen living on a pension.
It kind of makes me nostalgic for the good old fashioned robot insurance scams targeting seniors, when you could actually feel sorry for the victims.
Lol come on, not everyone who falls for these are douchebags. Many is min wage jobs just trying to get out of it and 'make it', I bet they think its childish looking too but hey I can make double my meager savings
I totally agree, it's victim blaming, but the incredible level of self sabotage and tolerance for douchbaggery the victims exhibit is a huge drain on my limited supply of empathy, after so many years of trying to deprogram and empathize with gullible racist fuckhead suckers who got scammed by Trump, and have been programmed to view empathy as a weakness, so don't deserve it themselves. And there's probably a huge overlap between people who admire golden toilets and bored ape jpegs.
At any rate, they'll probably reskin these templates to feature Hummel figurines, then I can feel sorry for the victims again.
Thanks to MATT DUNHAM. i was able to recover all my lost bitcoin from forex trading guys, when it comes to recovery of funds either from binary options, crypto, forex and Ponzi schemes. ( MATTDUNHAM928 at gmail dot com ) His the best recovery expert i have ever seen all my life. He recovered my funds and also funds of my friends, colleagues who were in similar situation as i was...
Thanks to MATT DUNHAM. i was able to recover all my lost bitcoin from forex trading guys, when it comes to recovery of funds either from binary options, crypto, forex and Ponzi schemes. ( MATTDUNHAM928 at gmail dot com ) His the best recovery expert i have ever seen all my life. He recovered my funds and also funds of my friends, colleagues who were in similar situation as i was.
I sometimes wonder what people behind these actually do (or used to do) and how they got into it. It takes real work to build these things, deploy, sell, and maintain these things, doesn't seem to be the sort of thing that grew from a weekend side-project in my opinion. They could spend that time working on something more legal.
Unless I'm misunderstanding something, I don't think it can. Your ownership of NFTs and ETH balance is public info on chain, and the site can construct a malicious transaction giving them away, but it ultimately has to trick the user into signing it. Not really sure what leeway they have to manipulate how the wallet UI presents the tx to the user though.
Metamask presents a big red warning when it requests a signature for a hex ETH transaction. But most people don’t read. Or they request token approvals users don’t bother to modify.
What an earth does that even mean? It's no wonder people keep messing this up. You need to spend half your life keeping up with the tech just to not get scammed.
I'm guessing the confusion is the "hex ETH" part. I know what a digital signature is and I can guess that ETH = ethereum, but have no idea what "hex" means so I can't "keep up" with your comment either.
I believe the malicious tx is basically serialized into a hex string, so not easily inspected by the user. As such, the wallet gives a warning, which the user ignores
My next billion dollar app will be a service that unlocks anyone's doors and gives you directions to their valuables (with augmented reality ofc). That way, you can directly steal from people without the complexity and carbon footprint of traditional cryptocurrency and NFT projects.
Tell August, Ring, and Nest you have a new auditing API designed exclusively for them coupled with a value-add homeowners asset inventory management app. ;)
The house equivalent of leaving car doors rolled down and doors unlocked for SF, PDX, and ATX. We'll call it OpenHouse. Come by and steal our shit in an organized way because our police won't do a damn thing to stop you. The app even turns a light on and leaves milk and cookies to make you, dear crook, feel right at home while you're pilfering our valuables to sell for crack.
Not necessarily a bad person. But to think that people that may not have the education to understand NFTs deserve to be robbed seems to justify to prey on people.
NFTs are an absurdity, but millions are spend on advertising them to an unprotected public. That are the real culprits.
Scammers do not deserve to get any money, that's for sure.
Most people don't understand things they invest in/buy.
Most people buying stocks don't understand the company as well as someone who works in the sector.
Most casual art appreciators don't know how to tell if a painting they're buying is a forgery.
Most people buying a house don't know how to assess the foundation, and even if they get a professional assessment, they don't have the same knowledge of the housing market as professionals. Maybe that neighbourhood is slated for rezoning in 5 years that would devalue the property.
Heck, even people buying gold/diamonds get ripped off on fakes/synthetics.
Outside of investments, most people here have probably bought a car. Do people who buy a car deserve to get ripped off if they don't understand how every component works well enough to inspect it themselves?
If every transaction required perfect understanding by both parties, there would be no markets. We have regulations to reduce the amount of understanding needed to participate in markets without getting fleeced, which makes the markets function.
Crypto is new and unknown for most people, and high risk-high reward. Lemonade stands are tried and tested, and most people understand them well.
I think a better analogy would be someone walking into a trap-house and buying drugs: they might have the high of their life, or they could get robbed. There are no regulations, so it is up to the individual to use their "street-smarts" to be successful. A person who gets robbed buying drugs or loses Crypto in a scam can be criticized, whether this is "victim blaming" or "being realistic" is just semantics.
There we go, a use case for NFTs! If Vancouver real estate was all on the block chain then people could steal it and so people wouldn't want to own it because it'd get stolen, and prices would drop!
It's clear the GP isn't making a categorical claim about disapproval.
It's more likely they think that the victims here had every available opportunity to exercise basic diligence. I'm not sure I actually agree with that (I think a lot of the people getting scammed here are being predated on by a market that thrives on misinformation), but that's a far cry from how you've interpreted the comment.
Not strictly theft, but I approve of people criminally obstructing actions which are bad for the environment. Destruction or obstruction of coal power mining/generation or smaller movements like deflating the tires of luxury SUVs.
If the law doesn't take environmental action seriously then individuals have to take control. Destroying the entire crypto market, even criminally, would be a benefit to the world.
So let me get this straight. You just connect your Wallet to a random website and let them run arbitrary smart contracts? That's wild, man. Surely there's gotta be some concern here that someone could take your shit.
I'm just surprised there isn't a privacy.com equivalent for this, like a limited-view wallet that lets you create sub-wallets for interaction with various services. Or if there is, perhaps it's not famous yet. Worthwhile product, I think, but hard to build because you'll be the target of everything. I think it would be easy for me to make a mistake somewhere while building it.
Nothing stops a person making a new wallet with limited assets for interaction with less reputable websites.
Web3 culture has made this quite difficult in practice. For example, it's quite normalised to say "new exciting nft project, only available to existing owners of expensive nfts". This sort of thing is considered an ownership perk. And it's why those discord hacks were so damaging, a statement like that was made and it did not sound out of character. So in order to use this service, you must be using the wallet with your expensive nfts, so ownership can be verified, but also because it's a phishing site.
Edit: and if you wanted to routinely transfer small funds to a hot wallet, gas fees will put a stop to the idea.
Why is the MetaMask UI so dumb that it can't say "This transacation is sending your NFT to address X. Address X has [reputation stats of some sort]. Is that what you want?"
Surely attackers could just make new wallet as soon as they are added to the blacklist? Unless making a new wallet and updating the script is difficult / expensive, a blacklist system would have pretty low benefit:cost.
Metamask presents a large red warning when a user is prompted to sign a raw transaction, and they’re planning on deprecating that part of the API, so hopefully that helps.
It's just plain and simple phishing -- the user still has to authorize the transaction, nothing gets stolen just for visiting the site or connecting the wallet.
Not to say it's the user's fault entirely. What they're taking advantage of, is that generally people are less familiar with what to look for in a crypto transaction vs say an online credit card form (and/or wallet UI is worse than a typical stripe checkout)
> Surely there's gotta be some concern here that someone could take your shit.
Sure.
Keep in mind though that crypto is battling the status quo where some arbitrary user could initiate an arbitrary chargeback through the use of a third party. Good luck building a smart contract around that!
With crypto there's no confusion or anxiety-- your coins are provably gone in the example you're citing.
In a way it's like the old error-prone analog computers vs. the new binary-logic-based digital ones. Yeah, rampant theft is bad, but it is discrete theft. And that is the point-- we can measure it in ones and zeros to build upon and compose the digital infrastructure that will become web4.
The same reason anything isn't automated: the developer estimates the cost of developing the system is higher than the potential upside. At some point, someone will add this functionality to their coin / platform because they think the potential upside will be worth it.
