Web3NFT Safety and Security
Introduction
In light of what happened yesterday with Sea Raiders we felt it was important to release this BLOG today.
The purpose of this article is help educate indviduals navigate the NFT space. The NFT market is huge and continues to add new buyers and projects daily. All of this money flooding into the market creates prime opportunities for scammers to con you out of your digital assets.
The goal here is to educate you on the types of scams you may be presented with and how to keep yourself as safe as possible while navigating the space. Its inevitable that you will be faced with these scams from time to time. Hopefully, after reading this, you will be better equipped to identify them.
Wallet Seed Phrase
Never share your seed phrase with anyone. This is the most important rule in this decentralized world. A Big Solid No to anyone that ever tries to ask. Remember, there is no one, to help you recover your losses. There is no one to turn to for help but yourself in this space. There are no (as in zero) governing authorities. But don’t let this scare you because the power is yours and yours alone which is why that speaks volumes to decentralization.
Your seed phrase is a series of confidential words used to gain access to your crypto wallet. No reputable person or project would ever ask for this information. Scammers will try various methods to get you to give them this information and if they succeed in obtaining your seed phrase, they will have full unrestricted access to your wallet and can completely drain it of any NFT’s and cryptocurrency. This is why keeping your seed phrase secret is vital to your protection. Store it offline in a secure location. There are multiple ways to store your seed phrase secure. A simple google search will provide multiple results on ideas, methods and offline tools for this purpose. Examples: Invisible ink, fire proof cards, secure USB drives and the list goes on and on. So do yourself a favor if you haven’t already picked a secure method and do it now. Don’t wait till it’s too late.
Prepare to Lose it All
Treat your wallet like it could be gone at any second. Best wallet practices are as follows; you should have a minting only wallet for security reasons. This wallet is only used for minting and has a limited amount of funds in the wallet to limit your risk of loss. After you complete your mint move your Items to another wallet. Having 3+ wallets is a best practice.
- Minting wallet - Limited funds for minting
- Burner wallet - Used on sketchy mints or testing something you don't feel safe with.
- Verification wallet - Everyday use with trusted sites Examples: Open Sea, Etherscan or Collab Land
- Vault Wallet - This would ideally be a cold storage wallet for Long holds & Blue Chips. A great example of this would be a Ledger.
Periodically you should disconnect all sites connected to your wallet. This can be done through your wallet specifically at no charge. In addition and more important then the last option you should visit “Revoke Cash” https://revoke.cash/ and disconnect sites permissions to your wallet. This is the only real way to disconnect access and it will charge a gas fee to utilize the service. This can also be completed through Etherscan as well for more advanced users. I prefer the simplicity of Revoke Cash.
The Rug Pull Scam
Research your projects, dig in to socials and not just followers. You need to see genuine real interactions. The community engagement says a lot are their troves of people talking, good stuff about the project or are they pointing out all the red flags. Is the team behind the project Doxxed? Do you know who they are and what their experience is. If something goes wrong does the community know who to point the finger at? Good projects don’t develop overnight but cash grabs do this quickly, usually built off some form of hype. There are two main types of Rug Pulls. The slow rug and the fast rug. Both give multiple promises that they plan to deliver after mint. Games, tokenomics, Metaverse etc. Some will even tease you with producing useful utility prior to launch to seem more legitimate.
The fast rug does all this in an effort to run off with the minting funds after you buy the project leaving you with a worthless NFT. The slow rug believes they can deliver but continuously fails to produce and one day just stops trying and abandons the project and community. This leaves you in the same predicament with a worthless NFT.
This can be even worse if they build malicious code into there smart contract that can drain your wallet. In addition don’t interact at all with airdrops to your wallet unless you absolutely know they came from a trusted source. Airdrops can contain similar malicious code too. Any interaction with a bad airdrop can clean your wallet out of targeted items or everything.
Reputable projects always have there contract audited and shared with the community for full transparency of any potential issues with mint, gas etc. In addition to what was built into the contract.
The Pump and Dump Scam
This is when a project or a group of people mint out or sweep up the floor of a NFT project. They do this with fake names and accounts to not be directly linked to the project or who they are. The purpose is to artificially create volume and drive up the floor price of the NFT project creating false hype in an effort to dump it all for a large profit. Of course they then run off into the sunset with full bags of cash while your left holding an NFT that was falsely overvalued by their pump.
In an effort to avoid this scam do some research if you’re unsure. You can look into the purchasing wallets, listed on Open Sea. If you see a non-diverse amount of wallets buying and selling, this could indicate a Pump & Dump. Example: The same 5-10 wallets are buying and selling the majority. All transactions are stored on the Blockchain and can be tracked back to the original source with little effort using etherscan.
Counterfeit NFT Scam
I don't think anyone wants to buy a fake NFT. It’s not the purpose of the space. If someone wanted to fake ownership there are easier ways then buying an NFT. But as stated earlier everything is recorded in the Blockchain and a simple etherscan check can tell you everything you need to know when authenticating an NFT. The etherscan will trace right back to the minting contract which then is tied to the original project proving verification.
But if you’re questioning whether the art is counterfeit, it’s very likely a brand impersonation scam. Always research any project before investing. Here are some key things that should alert you, price seems to low, misspellings in project name, images missing from open sea, supply number not correct. Double check everything names, social platforms, websites and Discord. Take the extra time to speak with the community if unsure. Now days it’s very easy to create a project that looks like the real deal, so it’s important to follow the above verification steps to ensure it’s not an impersonation of the real project.
Fake Site & Link Scams
With all this money flowing in and out of the NFT space, you need to be really careful not to fall for fake sites or phishing links. These items are created in an attempt to play on human nature. There are times that Alpha communities post calls and say Get in Quick or Link valid for next 15 minutes. Or a super hyped project opens their discord for 30 minutes only. This creates an easy target for scammers to play on your sense of urgency. With a couple modifications they can create a duplicate identical site and then link it directly to the valid link that was provided to you by the project or trusted community member. When that link is shut down or deleted by the trusted source, the scam takes over and any unknowing person clicks on it. They then will be sent straight into the lair of the scammer. Which may appear genuine and real, that’s the scary part.
A discord link should take you directly to a discord server. If you end up on a minting site or a discord server announcement page, prompting you to connect your wallet or mint something, that's an issue.
Other phishing scam examples.
- Hacked Discord Server
- Discord & Social Platform Direct Messages
- Twitter Tweets
All of these play on your sense of urgency by using some form of Brand impersonation in an attempt to get you to connect your wallet and interact with there fake mint contract.
Conclusion
In closing, I will leave you with some tips to help keep you stay safe during your journey, in this still very new world of NFT’s. If you follow these simple steps, you will be better prepared to handle these scams when you are faced with them.
Scams will continue to evolve and get more creative as the space grows. There are no guarantees that you still won’t be lured in by one. Personally, I have fallen victim to one early on in my venture and face multiple attempts on a weekly basis. So, education is your best defense.
- Most important NEVER share your seed phrase with anyone, EVER.
- Use wallet security - prepare to lose it all. Minimize your loss by following this practice.
- Pick a community that educates its members and that you can trust in for advice & help.
- Never feel pressured or rushed by Hype or FOMO. Double check everything.
- Double check everyone and everything. Don’t trust until earned.
- Never connect your wallet to any site until you verify it is real. DYOR always.
- Only use links issued by the project and exactly where they said they would issue them.
- Discord- Turn off DM’s and Turn On 2FA
- “If It’s too good to be true, It’s probably a Scam”.