I watched all of “The Problem With NFTs”. The video makes some good points and has some interesting stuff about NFC scams and culture. There are many technical errors (and some political views thrown in), but they don’t make that much of a difference to the main point of the video.
One thing I wasn’t sure of (and hadn’t heard about) that was mentioned, but explained poorly, is an exploit where someone is sent an NFT and this leads to their wallet being drained.
The article I link is probably for a different attack than the example from the video, but the effect is the same.
I don’t know how this isn’t just pure negligence on the part of OpenSea (it’s their site and service), but there are more issues that limit chances for error correction along the way. Those limitations apply to the whole Ethereum ecosystem, and all other chains built on the same tech (like Ethereum Classic).
It sounds like one of the reasons that this exploit exists is that Metamask – the main Ethereum wallet used in Web3, which is a browser-addon – has really bad UX around transactions.
Like, when you make a transaction you’ll see the destination address, ETH value, tx fee, and the data payload. But there’s no way for Metamask to have any idea what the payload does – it can’t do that for every possible smart contract out there. So it can’t show anything useful to the user (note: there are some special cases built in, like for ERC-20 tokens). So, in essence, a bit of JS can do a bait-and-switch. The user thinks they’re clicking “delete”, but really that ends up like draining all their NFTs (if it tried to drain ETH then the user at least has a chance to notice). The metamask transaction prompts for delete and drain would look basically identical. Unless the user like copied the data payload and deserialized it, they’d have no idea what it actually does. (Maybe metamask has done something about this as a special case, but in principle this is the norm that I remember)
This article is from October but the example in the video happened around Dec 27 I think, based on the timestamp of the reply (the incident was also listed on web3isgoinggreat.com on 28th dec)
“So, we decided to check what will happened if we would create malicious art that contains code in it, for example an .SVG image. We created a simple .SVG file and uploaded it with a simple payload,” researchers explained in a Wednesday analysis. “By clicking on the art and opening it in anther tab or clicking on the links on the page, our SVG will be executed under https://storage.opensea.io subdomain; at this point, we have a SVG file with JavaScript capabilities.”
(Apparently the guy replying sees the recent southpark NFT thing as a good thing, too)