Rekt Retweet #4 — Why your Bored Apes (and all other NFTs) aren’t safe… except on Radix | The Radix Blog | Radix DLT
May 10, 2022
TLDR: NFT owners have fallen victim to countless scams tricking them into inadvertently transferring their NFTs to scammers, including $10m of Bored Ape NFTs in April 2022. This is only possible because Ethereum has fundamental design flaws, such as users being commonly asked to “approve” contracts to spend their tokens; and “blind signing”, so you never truly know what you’re doing when executing a transaction. Radix fixes both of these issues with its “asset-oriented” approach and “transaction manifest”. Let’s ape in.
The most common scam for NFTs, whether on Ethereum, Solana, or most other smart contract platforms, is when a scammer tricks the NFT owner into transacting with a malicious smart contract, allowing them to “drain” the NFTs from their wallet.
“Draining” a wallet is only possible because:
1. Contrary to popular belief, NFTs don’t actually live in your wallet. They live inside a smart contract, which holds a record that your account is the owner of that NFT. Whoever controls the smart contract has control of your NFTs.
2. To transfer ownership of an NFT, you sign a transaction instructing the smart contract to change the record of who owns that NFT.
But the transaction you’re signing doesn’t tell you what it’s doing. It just appears as random letters and numbers — you’re blind signing.
3. Even if you know what smart contract call you’re making, you can never be guaranteed of what will actually happen (unless you audit the smart contract code). If you want your NFTs to interact with a smart contract, like send an NFT in exchange for something else, like wETH, then you have to “approve” a third party contract to spend your NFTs on your behalf. Only then can you trade your NFT, like swap a BAYC for 60 wETH.
Now back to the hack.
On April 25 2022, the official Instagram account for BAYC was compromised. This allowed a hacker to post a link to a fake website requesting BAYC owners to transact with a malicious smart contract, with the promise of receiving an airdrop. But when blind signing the transaction for the airdrop, the fake website was actually asking the user to transfer their NFT to the hacker, without users being aware.
So why does Radix’s upcoming Babylon release make NFTs far safer?
1. NFTs on Radix aren’t just a record in someone else’s smart contract — they are native assets that the platform inherently understands, enforcing strict rules that determine how NFTs behave.
2. Accounts aren’t just addresses inside a smart contract, but self-contained on-ledger components that hold assets in “vaults”. This means your NFTs live inside vaults in your own on-ledger account.
3. Because assets on Radix are natively understood by the platform, transactions are built via a “transaction manifest” that describes actual asset flows.
If the hack were attempted on Radix, this fails as the user is presented with a transaction that is blatantly not a free airdrop.
With every single smart contract interaction on Ethereum and other networks being potentially dangerous, it’s no wonder that it’s recommended to use “burner” accounts to collect airdrops or other interactions, and to never use your “main” account.
If you’re curious to learn more about the transaction manifest, you can read more about it in this blog article on Scrypto v.03: https://www.radixdlt.com/post/scrypto-v0-3-released.
If you’re interested in the other side of the Rekt article, with users spending 60,234 ETH ($170m) on fees, and losing 1,653 ETH ($4.7m) to failed transactions alone, check out our CEO Piers’ recent tweet thread on why scaling TPS alone isn’t enough https://twitter.com/PiersRidyard/status/1521245188508819456
Lastly, in case you missed it: Rekt Retweet #3 — Why the $80m @QubitFin hack could NEVER happen on #Radix.