No, Airdropped NFTs Cannot Empty Your Crypto Wallet

It’s scammer season in NFT-land, but amid the valid concerns about hacks and exploits, misinformation is spreading fast.

As non-fungible tokens (NFTs) continue to become more popular, the user demographics for many cryptocurrency platforms are fundamentally changing as a new, perhaps less tech-centric population learns how smart contracts work.

The proliferation of relatively green users and new money in the market has led to a similar boom in Discord scams, phishing attempts and “clippers” – all attack vectors that more experienced crypto users may be familiar with but that NFT collectors are often hearing about for the first time.

The prevalence of real threats has also led to a boom in misinformation about what is and isn’t a risk.

Read more: Lessons From the Nifty Gateway NFT Heist: Not Your Keys, Not Your Art

In a viral tweet on Monday, NFT collector “AJ” claimed to have lost an NFT collection worth more than $50,000 in a hack.

AJ wrote that he had not entered his seed phrase anywhere, had not interacted with fake front ends or otherwise fallen for common scam tactics, and that the only way he could have lost his collection was from malicious permissions associated with NFTs “airdropped” to his address, or NFTs sent to his address for free. AJ didn’t respond to a request for comment by press time.

The incident led to a rumor that accepting bids on airdropped NFTs or listing them for sale, both of which require a contract approval, could lead to wallets being emptied.

In interviews with CoinDesk, however, a pair of developers say that AJ’s depiction of the events is highly unlikely, if not impossible, and that standard operational security – such as double-checking that emails are from the proper sources and using a hardware wallet – is the best way forward.

Key to AJ’s theory for how his wallet was drained is a feat of smart-contract wizardry that may well be impossible.

“Many NFTs you have traded on OpenSea have the ‘setApprovalForAll’ function set to ‘true’ for the OpenSea trading contracts unless you have gone out of your way to clear that approval,” NFT developer and analyst Nate Alex told CoinDesk on Twitter, adding:

“It’s a global approval for a given collection, so if you have 100 Art Block Factory NFTs and trade one of them, the other 99 are still approved for trade and thus only require you to sign a message to list more (not submit a [transaction]).”

Taking advantage of such an attack vector would still require special permissions, however.

“In order to take advantage of OpenSea’s open approval across everyone’s collections, you’d either need access to their marketplace contract via ownership controls of said contract, or access to manipulate their front end into getting users to sign fake messages,” Alex added.

Indeed, on-chain sleuths found that AJ’s own Ethereum address accepted a low bid for his Damien Hirst NFT, and as pseudonymous Solidity developer Foobar tweeted, there was no elaborate contract responsible for transferring out his holdings; his own address was the instigator.

“Looks like he probably entered his private key into a phishing site or had malware on his computer,” Foobar told CoinDesk.

While there have been conceptually similar attacks in the past with fungible token contracts, such as RUNE, which relied on a transaction origin check as opposed to a message sender check, Foobar said it’s an edge case that shouldn’t apply to NFTs.

Read more: Thorchain’s RUNE Token Tumbles After 2nd Exploit in 2 Weeks

“Any ERC-721s that check ‘tx.origin’ for approvals could be vulnerable. But I don’t think I’ve ever seen any of those,” Foobar added.

Both developers warned users to remain wary of phishing emails and implored collectors to consider investing in hardware wallets.