You don’t think this scam being discussed is interesting at all?
Maybe we should have another thread just for crypto scams that you can ignore.
Why is it racist to think sports jocks may be dumb?
Omg is that a…PAUL NEWMAN DAYTONA???
1 Like
imagine a world where you learn about a game, and dozens of your friends learn that game and discuss it on a serious level for many months. and one friend starts off so prejudiced against that game, but still wants to talk about it, so he finds all the fake news social media stories and youtubes that support his incorrect position, and keeps it up for MONTHS in the face of the opposite of all his predictions becoming reality. you’d say, “this is a Q guy, i should address his concerns point by point in a measured way, forever”
mfers up to $9k
Aave wrapped ETH (AWETH) is a wrapped Ethereum used to transact on Aave, which is a DeFi protocol enabling interest earning and such, which is why this guy says most of his ETH is stored in that format. It’s quite common to “wrap” eth in this way, creating tokens with an identical value to native ETH, because those tokens have capabilities native ETH doesn’t have. One of those capabilities is delegating to smart contracts the ability to transact on your behalf. “Armstrong wrapped ETH” is probably not a thing but was just a name created so that a request to transact with something called “AWETH” wouldn’t look weird. Obviously these names are just names of convenience over real unique identifiers.
What’s going on in the second pic is not complicated. This guy had granted the smart contract unlimited ability to transact in AWETH on his behalf, and the contract intended to use that permission to send it all elsewhere. There are approvals other than unlimited approval, like you can approve contracts to transact for set amounts, but then you have to pay gas every time you make a new approval. So when it’s some random game token you don’t care about it’s not weird to give a contract unlimited permission.
The lessons here are pretty basic, namely don’t grant token approvals unless you’re 100% sure you’re approving the correct token and don’t grant any kind of unlimited permission to shady contracts on wallets holding giant amounts of money. As ever with these sort of attacks, it was only the sophisticated social engineering which got this anywhere near working.
1 Like
Thanks. That’s fascinating that they probably named it Armstrong so they could use AWETH.
So what happened here is the contract pops up some kind of dialog (or is integrated with some tool or whatever) that says “Do you want to approve unlimited AWETH transfer to [address or whatever]?” And the mark think’s he’s approving Armstrong ETF but is actually approving Aave WETH. Do I have that right?
Also is this reply right?
Looks like this attack might have been specifically engineered to metamask:
https://twitter.com/poks_0x/status/1492854915957501958
Do people itt use metamask does everyone think it’s a bad idea?
None of this is remotely accurate. This is the lens you see my interaction through because you let your anger color my words into something I’m not actually saying. I’m a highly curious skeptic. You should welcome that in the community.
I’m just going to ignore you for a while because you get under my skin too.
It’s about any rich people getting into the game. They don’t have time to learn the intricacies of how to not get scammed. That’s for the early adopters. Rich people just want to do the fun stuff.
I’ve used the example several times itt of my uncles investing in Munder Net Net at the height of of the dotcom bubble. They weren’t techies. They just wanted in on the action. I guess that makes me ageist.
pick a more racially diverse example of people you think are dumber than you, next time, is all i’m saying
One reason this stuff is fascinating to me is because in any brand new system there are always wide open security holes that business leaders don’t take seriously (because it’s never happened before) unless developers scream from the rooftops about it. And even then not usually.
Case in point. We replaced a client-server based clinical trial results viewer that had to be installed onsite at drug companies, with a multi-tenant online system. This opened up the possibility that the person at our company setting up the study could accidentally sign up an employee from the wrong company to a study, meaning an employee at Merck could now see how a Glaxo-Smithkline clinical trial was coming along. This would obviously be like a nuclear bomb for our whole department.
I couldn’t get the business types to take this seriously until it almost happened. They had a two-step approval process that they thought was good enough. But of course the second person approving was just basically rubber-stamping. If the first person screwed up, the second person probably wouldn’t catch it.
So it’s interesting to learn about possible design flaws in something brand new like smart contracts, and I don’t think that in itself means the whole enterprise is a scam. It happens every time there’s something new. But I do think that just saying “people shouldn’t be dumb” isn’t the best answer. People will always do dumb things. The system should try to prevent that if feasible.
If your first response is just to shout anyone down who tries to point these things out, that will impede progress and make outsiders even more skeptical.
1 Like
how can you deny that the same needles used to deliver vaccines will BLIND any person who inserts them into their eyes? is this not a huge red flag for vaccines? just asking questions. you should be thanking me for sharing the thoughts from my Big Skeptic Brain, it might save your life
1 Like
So take the shady website out of the equation and there’s no way to get a malware NFT into your wallet? Is this token approval via smart contract a thing that happens a lot?
Like I assume there are legitimate times you want to do token approvals from your wallet? How do you vet those? Well you personally would look at the code in the smart contract. But how should a normie vet a token approval? Just based on trust of the NFT issuer? Never do unlimited even with the gas fees?
I agree social engineering was the main component here. Just trying to understand what other safeguards could have been done.
Something like this:
For an approval like this you have to click Confirm twice although it’s really only a single operation. You say yes to allowing the contract to transact in the named token, and then you say yes to submitting this transaction to the blockchain. Here’s an example, the business end of this is screen 1:
The thing is, it’s not weird to allow a contract unlimited access to your monies in a similar way to how it’s not weird to grant a digitally signed app unlimited rights on your computer. You can go read exactly what the code will do if you like, it is embedded in the blockchain and cannot be changed. Or if it’s a widely used app, you have the assurance that thousands of nerds have already done that. And it’s not weird to grant unknown code permissions on a token you don’t care about.
Obviously “don’t grant permission to your actual monies to unknown code” is not any more complicated than “don’t double click a random exe that people send you in an email attachment”. The art of social engineering is making it seem like you’re actually doing something reasonable.
1 Like
Yes. The interest from the suzzers is the whole kitten kaboodle of this - unless you’re selling.
Got it. So there are trusted services that need to be approved to move your real coins, and games that need to be approved for your shitcoins, and this scam made #1 look like #2.
Yeah MetaMask should definitely do this. It should also allow manually re-aliasing tokens, like I should be able to say “I want you to call this zomg real usdc instead of just usdc when asking me permission”.
Yeah obviously anything fixing something at the wallet level is going to happen a lot quicker than at the blockchain core programming level.
While this is true, a random .exe or phishing email isn’t going to instantly drain my Vanguard account. It may get there eventually, but it will take some work. This stuff is more like if you click on a few bad links - some chunk of your investment portfolio is gone in an instant, totally unrecoverable. (Unless you lose a few $billion. Then you might have a chance to get some back.)
My buddy lost everything he had on coinbase when someone walked into a T-mobile store and swapped his phone number. He also met a few more people who got hit with the same scam. The one thing in common is all of them had crypto. Apparently the scammers aren’t bothering to do this for only bank accounts, which generally only have a few $K and are tougher to scam money out of. They did go ahead and drain his bank account into coinbase though, and then unload it elsewhere, since they could. He was on the phone with coinbase while this was happening and couldn’t get them to stop it.
So for the same reason a bank has a lot more security around it than a grocery store, blockchain stuff should strive to be have more guardrails and security around it than email, or a shady website - which aren’t generally one click away from access to serious money.
If an old lady gets scammed into sending all her money to Thailand - literally any sentient person can see she was brainwashed and not in her right mind. The only way to prevent that is for the banks to be a lot more proactive about raising red flags. But it’s tricky when the person is right there with proof of who they are and seem of sound mind and body. She may even have good reason not to trust her next of kin.
That’s a whole different animal imo than a scam like this that almost tricked a very smart person into thinking he was just enabling some shitcoin in his wallet. Yes he made some dumb mistakes. But it’s not like the social engineer hypnotized him into giving up his wallet key, like the old lady wiring money to Thailand. Even smart tech-minded people don’t always have time to go down big rabbit holes just to verify some silly game NFT.
It seems like the crypto world should work hard for more guardrails against this kind of thing, or risk scaring off a lot of people who don’t want to become experts in the space just to keep from getting scammed.
It’s definitely a downside of decentralized finance that there is no central authority to help you out if things go wrong. Are the upsides worth this downside? Well, the upsides of decentralized finance range between negligible and world-transforming depending on who you ask, so it’s unclear.
Most people with serious crypto assets take precautions. The guys with BAYC NFTs worth 6 figures typicall have them on “vault” addresses attached to hardware wallets and have the seed phrases for them in bank safety deposit boxes. It’s safer to keep most of your assets this way and only transact with that wallet when actually necessary, and have another wallet for day to day transacting. Notice that in this scam, the breaking point for the guy was being asked to connect with his main wallet. The list of reasons to ever connect your main wallet to anything is:
- To allow someone or something access to the assets contained therein.
- That’s the whole list.
So saying “no not that wallet can you pls connect the wallet containing millions of dollars” is a red flag of epic proportions.
2 Likes
Well there’s this part too:
I ask her to send it to my hot wallet, but she sends it to my primary because it’s so valuable. No big deal, right?
I’m definitely still confused about what something I didn’t ask for being “in my wallet” means. You guys say it’s just an address and you can just write a filter to hide it forever. But most people don’t seem to think of it that way. Human nature I guess.
Is there some reason that “Don’t send anything to this wallet w/o my permission” can’t be implemented as a feature?
So then he says:
Now here is where I got incredibly lucky. Since it’s a new project, I decided to move the NFT to a fresh eth address before going through the staking process - just in case they get exploited down the road or something. The stake goes through and I’m earning yield on it.
Just so I understand it. She put the thing in his primary wallet, he moved it to a fresh eth address (which means new wallet, right?), and then she asked him to move it back to his main wallet? Lol yeah if that doesn’t raise a gigantic red flag you’ve got problems.
Also this guy only moved it to a new wallet because he was worried they might get exploited in the future, not because he had any qualms about them in the present. I bet it kills the scammers reading that. They came soooo close.