No, Airdropped NFTs Cannot Empty Your Crypto Wallet

As NFT collectors learn about smart contracts for the first time, rumors and misinformation run amok.

AccessTimeIconSep 21, 2021 at 7:35 p.m. UTC
Updated May 11, 2023 at 6:16 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

It’s scammer season in NFT-land, but amid the valid concerns about hacks and exploits, misinformation is spreading fast.

As non-fungible tokens (NFTs) continue to become more popular, the user demographics for many cryptocurrency platforms are fundamentally changing as a new, perhaps less tech-centric population learns how smart contracts work.

The proliferation of relatively green users and new money in the market has led to a similar boom in Discord scams, phishing attempts and “clippers” – all attack vectors that more experienced crypto users may be familiar with but that NFT collectors are often hearing about for the first time.

The prevalence of real threats has also led to a boom in misinformation about what is and isn’t a risk.

NFT misinformation

In a viral tweet on Monday, NFT collector “AJ” claimed to have lost an NFT collection worth more than $50,000 in a hack.

AJ wrote that he had not entered his seed phrase anywhere, had not interacted with fake front ends or otherwise fallen for common scam tactics, and that the only way he could have lost his collection was from malicious permissions associated with NFTs “airdropped” to his address, or NFTs sent to his address for free. AJ didn’t respond to a request for comment by press time.

The incident led to a rumor that accepting bids on airdropped NFTs or listing them for sale, both of which require a contract approval, could lead to wallets being emptied.

In interviews with CoinDesk, however, a pair of developers say that AJ’s depiction of the events is highly unlikely, if not impossible, and that standard operational security – such as double-checking that emails are from the proper sources and using a hardware wallet – is the best way forward.

Contract disapproval

Key to AJ’s theory for how his wallet was drained is a feat of smart-contract wizardry that may well be impossible.

“Many NFTs you have traded on OpenSea have the ‘setApprovalForAll’ function set to ‘true’ for the OpenSea trading contracts unless you have gone out of your way to clear that approval,” NFT developer and analyst Nate Alex told CoinDesk on Twitter, adding:

“It’s a global approval for a given collection, so if you have 100 Art Block Factory NFTs and trade one of them, the other 99 are still approved for trade and thus only require you to sign a message to list more (not submit a [transaction]).”

Taking advantage of such an attack vector would still require special permissions, however.

“In order to take advantage of OpenSea’s open approval across everyone’s collections, you’d either need access to their marketplace contract via ownership controls of said contract, or access to manipulate their front end into getting users to sign fake messages,” Alex added.

Indeed, on-chain sleuths found that AJ’s own Ethereum address accepted a low bid for his Damien Hirst NFT, and as pseudonymous Solidity developer Foobar tweeted, there was no elaborate contract responsible for transferring out his holdings; his own address was the instigator.

“Looks like he probably entered his private key into a phishing site or had malware on his computer,” Foobar told CoinDesk.

While there have been conceptually similar attacks in the past with fungible token contracts, such as RUNE, which relied on a transaction origin check as opposed to a message sender check, Foobar said it’s an edge case that shouldn’t apply to NFTs.

“Any ERC-721s that check ‘tx.origin’ for approvals could be vulnerable. But I don’t think I’ve ever seen any of those,” Foobar added.

Both developers warned users to remain wary of phishing emails and implored collectors to consider investing in hardware wallets.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Andrew Thurman

Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.

Read more about