Crypto Currency Fraud

Max · January 24, 2022, 8:24am

I watched all of “The Problem With NFTs”. The video makes some good points and has some interesting stuff about NFC scams and culture. There are many technical errors (and some political views thrown in), but they don’t make that much of a difference to the main point of the video.

One thing I wasn’t sure of (and hadn’t heard about) that was mentioned, but explained poorly, is an exploit where someone is sent an NFT and this leads to their wallet being drained.

The article I link is probably for a different attack than the example from the video, but the effect is the same.

I don’t know how this isn’t just pure negligence on the part of OpenSea (it’s their site and service), but there are more issues that limit chances for error correction along the way. Those limitations apply to the whole Ethereum ecosystem, and all other chains built on the same tech (like Ethereum Classic).

It sounds like one of the reasons that this exploit exists is that Metamask – the main Ethereum wallet used in Web3, which is a browser-addon – has really bad UX around transactions.

Like, when you make a transaction you’ll see the destination address, ETH value, tx fee, and the data payload. But there’s no way for Metamask to have any idea what the payload does – it can’t do that for every possible smart contract out there. So it can’t show anything useful to the user (note: there are some special cases built in, like for ERC-20 tokens). So, in essence, a bit of JS can do a bait-and-switch. The user thinks they’re clicking “delete”, but really that ends up like draining all their NFTs (if it tried to drain ETH then the user at least has a chance to notice). The metamask transaction prompts for delete and drain would look basically identical. Unless the user like copied the data payload and deserialized it, they’d have no idea what it actually does. (Maybe metamask has done something about this as a special case, but in principle this is the norm that I remember)

This article is from October but the example in the video happened around Dec 27 I think, based on the timestamp of the reply (the incident was also listed on web3isgoinggreat.com on 28th dec)

“So, we decided to check what will happened if we would create malicious art that contains code in it, for example an .SVG image. We created a simple .SVG file and uploaded it with a simple payload,” researchers explained in a Wednesday analysis. “By clicking on the art and opening it in anther tab or clicking on the links on the page, our SVG will be executed under https://storage.opensea.io subdomain; at this point, we have a SVG file with JavaScript capabilities.”

To exploit this setup, the researchers added an iframe to the .SVG file, which inserted an Ethereum object onto the page where the malicious .SVG was on offer.

“This way we can get the window.ethereum injected, which will allow us to communicate with the Ethereum JSON-RPC API,” according to the analysis. “In order to hijack the currencies, first the attacker needs to open a communication with the wallet via a rpc-api action that will start the communication with MetaMask.”

When a target is offered the “free gift” – i.e., the malicious NFT – a pop-up window appears to the target asking for confirmation for the transaction. Once the victim clicks on the popup to sign the transaction, he or she can interact with the file. In the background, the payload executes and an attacker would be able to see any wallet activity and be able to perform actions on the victim’s behalf.

“The transfer will happen seamlessly, and the victim will get the art to his collection without any action needed from his side,” Check Point researchers explained. “Then if the victim will open the new art and press the image or links, connect his wallet and sign the transaction in the popup, he will lose all his balance.”

(Apparently the guy replying sees the recent southpark NFT thing as a good thing, too)

Elliot · January 27, 2022, 6:18am

https://www.tiktok.com/@aamirazh/video/7056947817859779886

deroj · January 27, 2022, 11:46am

This link doesn’t seem to work either. I guess it’s b/c the uploader deleted it.

Max · January 28, 2022, 11:05pm

From memory, that one was about using NFTs as money laundering (sell it to yourself).

ingracke · January 29, 2022, 3:00am

The link works fine for me

deroj · January 29, 2022, 6:32am

It seems to have been something on my end I guess.

Edit: I just checked the link on my iPad, the device that I had the problem on, and the link is working there as well now.

Elliot · February 2, 2022, 10:06pm

I didn’t like the victim blaming by Asmongold. Interesting video though.

Max · February 3, 2022, 11:12pm

cross-chain fancy blockchain system gets hacked
120k ETH stolen
venture capital fund replaces ETH to keep system propped up

Elliot · February 6, 2022, 10:31pm

part 2

Elliot · February 15, 2022, 1:58am

Max · February 15, 2022, 7:35am

A long Twitter thread about a nearly successful social attack:

Elliot · February 15, 2022, 7:48am

She then tells me more about Space Falcon. It seems kind of like a get-rich-quick scheme, but again, that’s kind of how I see a lot of NFTs. With all that she’s doing for Arrow, there’s no harm in showing a little support.

crypto founder guy thinks (and admits in public in writing) that there is “no harm” in using his reputation to support an NFT get rich quick scheme as a favor for someone who is doing him favors. what a rotten ecosystem crypto is? or are most people this bad?

he also admits dangerous gullibility (in public, in writing) – no one should trust whatever crypto stuff he’s building. he doesn’t seem to recognize that he did things very wrong. his perspective is so warped that he thinks basically anyone would probably have fallen for it, and he’s blameless, and there’s no shame in getting lucky.

Max · February 15, 2022, 10:53pm

The DeFi/Web3 tribe is worse than crypto generally, and crypto is worse than most ppl.

My impression is that most people think being matter-of-fact negative about someone’s project or startup is bad and mean; and an excuse for this is like ‘what’s the harm?’. But ppl are willing to hear criticism more with that sort of thing b/c you can’t make a business work if it tries to fake reality.

But with crypto – particularly the DeFi/Web3 tribe, which this guy is in – it’s way worse. Plus, since there’s been so many, like, irrationally successful projects, I think that’s sort of taken as evidence that being negative is wrong and doesn’t pay off. Big caveat: there’s plenty of calling-out of scams by some tribes, or has been in the past at least, but those tribes have other problems.

Yeah. I think crypto ppl will overlook that and use the excuse that he’s doing something positive by writing up the attack.

Also, my guess is that if someone in the crypto space says this (or something like it), they’ll either be ignored or brigaded.

There’s dishonesty on his part about his gullibility too – like he starts with (emph mine)

I’ve been targeted in an extremely thorough social engineering scam that nearly cost me all of my ETH.

But if he’d just paid attention to the red flags and actually done some due diligence then it would never have worked. I think crypto ppl might think the lesson from this thread is about reading smart contracts…

Also, he did get scammed out of 1 ETH, like $3k USD. (Image in 22/)

Some details about these two projects (b/c the sites aren’t going to stick around forever)

Arrow’s twitter bio:

Arrow is a community with the mission of building vertical-takeoff aircraft that are affordable and accessible to everyone through an air taxi network.

Arrow’s home page text above the fold:

We’re Bringing Point to Point Air Travel to Everyone

Fly between any two points on Earth, using open source hardware from a global team

Why would we even want that? Then again, this thomasg guy says (his 3rd msg in the discord screenshot):

I’m pretty sure my dream life would be to just live on a spaceship and cruise around exploring the universe

picard_facepalm.gif

I also looked at the other one a bit. One of the funny things is I think the twitter guy wasn’t intending to imply that the legit space falcon project is a get-rich-quick scheme (mb partially why his tweet said what it said), but, well…

Space Falcon’s twitter bio:

Intergalactic #SOLANA metaverse featuring PvP space shooter game with premium Sci Fi NFTs.

Around the fold of their home page (bold white text + stroke is mine)

Elliot · February 15, 2022, 11:00pm

I wouldn’t have been harsh if he’d said nothing about it in public. I didn’t think he needed to be negative. I wasn’t asking for that. Just don’t be positive about it (a thing you believe is basically a scam). Don’t go actively help and thereby contribute to people losing money (the blatant harm that he has to bury his head in the sand to evade).

Yeah. Writing it up is a very good thing. But it also revealed a bad attitude to the issues.

Max · March 30, 2022, 11:00am

Hackers Steal About $600 Million in One of the Biggest Crypto Heists

Ronin Network says thieves took Ether, USDC tokens on March 23
Bridge hacks can threaten the ecosystem of decentralized apps

https://www.bloomberg.com/news/articles/2022-03-29/hackers-steal-590-million-from-ronin-in-latest-bridge-attack

(bloomberg has an anti-bot thing that prevented the preview showing up)

Max · April 26, 2022, 9:00am

This article is basically a quote from a podcast with emphasis from the editor. SBF is the crypto guy; Levine and Weisenthal are hosts (I think). The subtitle of the article is “Sam Bankman-Fried explains “yield-farming” to Bloomberg.”

archive.today link

I included the emphasis from the FT editor in this quote.

SBF:

That’s right. So, and obviously already we’re sort of hiding some of the magic impact, right? Like some of the magic is in like, how do you get that market cap to start with, but, you know, whatever we’re gonna move on from that for a second. So, you know, X tokens [are] being given out each day, all these like sophisticated firms are like, huh, that’s interesting. Like if the total amount of money in the box is a hundred million dollars, then it’s going to yield $16 million this year in X tokens being given out for it. That’s a 16% return. That’s pretty good. We’ll put a little bit more in, right? And maybe that happens until there are $200 million dollars in the box. So, you know, sophisticated traders and/or people on Crypto Twitter, or other sort of similar parties, go and put $200 million in the box collectively and they start getting these X tokens for it.

And now all of a sudden everyone’s like, wow, people just decide to put $200 million in the box. This is a pretty cool box, right? Like this is a valuable box as demonstrated by all the money that people have apparently decided should be in the box. And who are we to say that they’re wrong about that? Like, you know, this is, I mean boxes can be great. Look, I love boxes as much as the next guy. And so what happens now? All of a sudden people are kind of recalibrating like, well, $20 million, that’s it? Like that market cap for this box? And it’s been like 48 hours and it already is $200 million, including from like sophisticated players in it. They’re like, come on, that’s too low. And they look at these ratios, TVL, total value locked in the box, you know, as a ratio to market cap of the box’s token.

And they’re like ‘10X’ that’s insane. 1X is the norm.’ And so then, you know, X token price goes way up. And now it’s $130 million market cap token because of, you know, the bullishness of people’s usage of the box. And now all of a sudden of course, the smart money’s like, oh, wow, this thing’s now yielding like 60% a year in X tokens. Of course I’ll take my 60% yield, right? So they go and pour another $300 million in the box and you get a psych and then it goes to infinity. And then everyone makes money.

Levine:

I think of myself as like a fairly cynical person. And that was so much more cynical than how I would’ve described farming. You’re just like, well, I’m in the Ponzi business and it’s pretty good.

Weisenthal:

At no point did any of this require any sort of like economic case, it’s just like other people put money in the box. And so I’m going to too, and then it’s more valuable. So they’re gonna put more money in, and at no point in the cycle, did it seem to like, describe any sort of like economic purpose?

One reason I thought this was notable (that wasn’t emphasized by the FT editor) is Weisenthal’s point about economic productivity. (the point is the last paragraph of the above quote)

I think that’s the crux for an argument that blockchain is good in some ways: how is it economically productive?

e.g., bitcoin might promise that it breaks down ‘walled gardens’ of payment networks and things, but is there actually evidence to support that? Like does it provide a product that actually improves the lives’ of the unbanked? In this case: IDK; I’ve seen puff pieces about it, but no hard data either way.

Elliot · May 31, 2022, 3:12pm

A bunch of Venture Capitalist firms from Silicon Valley are complicit in the general atmosphere of crypto scams. They fund them and profit off them. Here’s a major firm announcing their fourth crypto fund with $4.5 billion:

I’ve read reports that they and other VCs got out of Luna/Terra just before the crash and actually made a lot of money off that because they also got in early (and the reputations of VCs who got in then played a significant role in getting other people to believe it was safe or real, not a scam – so they fooled people using their reputations and then profited off the people they fooled).

Related, crypto scams hurt people:

https://www.wsj.com/articles/terrausd-crash-led-to-vanished-savings-shattered-dreams-11653649201

The surgeon example lost his money to a company backed by YCombinator that wrote intentionally misleading risk disclosures:

Depositing with Stablegains is not the same as depositing in the bank. The reason you can earn a high return via Stablegains is in part because of the protocols offering a much more efficient solution than banks do, but also in part because the risk profile is different. Certain risks exist that are relevant to any open digital finance protocol, whether accessed via Stablegains or another platform.

There’s no way YC invests in a plan to earn stable, high interest and doesn’t know that’s either a scam or a lie, right? Stable high interest is not a real thing. Their business plan was apparently to put the money in Luna/Terra stuff, collect 20% interest, and give their customers 15% interest.

After being initially funded by YC, they raised $3 million from VCs including additional money from YC:

Elliot · May 31, 2022, 3:47pm

People’s willingness to invest (and lose) their life savings without carefully reading the terms of service says something about how much people hate reading. That’s relevant to my philosophical claims about how people need to practice reading and develop much better autopilots so it seems more like easy/fun/automatic to not just read but actually read well and follow details.

Elliot · May 31, 2022, 7:07pm

Elliot · June 12, 2022, 8:35pm