MultiversX Tracker is Live!

PSA: Scam NFTs are never safe to interact with. Here's why.

All Cryptocurrencies

by COINS NEWS 133 Views

PSA: Scam NFTs are never safe to interact with. Here's why.

In the comments of a recent post I noticed a huge amount of misunderstanding around how to safely deal with the free NFTs that randomly appear in your wallet.

Stuff like:

Do not do this.

Do not do this either.

This scam also exists but dangerous to claim nfts themselves are harmless.

It would be very easy to fall victim to the free NFT scam if you took the above comments at their word. So I'm here to educate you why you should never interact with a smart contract you don't trust.

What is an NFT?

An NFT is just a smart contract that follows a simple set of rules. A smart contract is a set of functions that contain code that can change state on the crypto networks when users submit transactions.

On Ethereum, an NFT is any contract that has the following functions:

balanceOf(owner) ownerOf(tokenId) safeTransferFrom(from, to, tokenId) transferFrom(from, to, tokenId) approve(to, tokenId) getApproved(tokenId) setApprovalForAll(operator, _approved) isApprovedForAll(owner, operator) safeTransferFrom(from, to, tokenId, data) 

The code inside each function is written by the smart contract developer, and should implement the functionality required by every NFT.

For example, almost all NFTs should be transferable. This could mean selling it on OpenSea, or simply using MetaMask to send it to the wallet of a friend. No matter where the trade is initiated, the safeTransferFrom() function will be executed, because that is how the change of ownership happens on-chain.

To make this happen, the developer should implement the safeTransferFrom() function with some code that changes the NFT's owner. Maybe something like:

function safeTransferFrom(address from, address to, uint256 tokenId) public { require(ownerOf(tokenId) == from); // Only the owner can transfer ownership _owners[tokenId] = to; // Set the owner of the token to the new address } 

Looks good, what's the problem?

In order to execute safeTransferFrom(), you will be asked to submit a transaction. This is where you pay some gas and sign some data in order to have its code run by the Ethereum network.

The problem is, that any function can contain any code.

This means that a malicious developer could write a smart contract that looks like this:

function safeTransferFrom(address from, address to, uint256 tokenId) public { require(ownerOf(tokenId) == from); // Only the owner can transfer ownership _owners[tokenId] = to; // Set the owner of the token to the new address sendAllAssetsToScammerWallet(); // Actual code not included for obvious reasons } 

It's a functional NFT contract. But when you sign the transaction, the malicious code runs too. You thought you were sending an NFT to a friend, but as far as the network is concerned, you've also just given permission to send all your assets to the scammer's wallet. Congratulations, you hacked yourself.

There is no safe way to interact with a contract you do not trust.

In the words of /u/Da_Notorious_HAM

https://preview.redd.it/cq8r9p6kmz0a1.png?1380&format=png&auto=webp&s=69f0db50b1863315f081db87b7bd8b45c408b9c5

There is ONE exception. Your wallet or marketplace UI may allow you to hide NFTs - this is the only safe way to declutter your wallet, as it's a superficial action rather than something that changes data on-chain.

submitted by /u/still-holding-gme
[link] [comments]

Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Comments