Read on Twitter
Today, bored ape holder "s27" lost their bubble gum ape and matching mutants ($567k at current floors) in an instant. This is a thread on how it happened, and how to prevent something similar from happening to you. 1/
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🧵" title="collectie" aria-label="Emoji: collectie">
2/ I track ape listings under floor (5% trigger) in my discord server. The pings are rare, but when they happen it generally means one of two things: somebody is panic selling, or somebody is compromised. When I saw the notification for #1584, I instantly knew it was the latter
3/ At first I thought s27 must have been a victim of the "animate your ape" scam I was tagged in today, but in looking at his transaction history I noticed something odd: he actually transferred this ape from his vault to another wallet, just to lose it shortly thereafter
4/ Further digging showed that he traded on swapkiwi, a trading site similar to NFTtrader or SudoSwap. Furthermore, he *initiated* a trade to lose his apes, which is certainly not normal behavior. I decided to play with KiwiSwap and see how this could& #39;ve happened https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇" title="Rug van hand met omlaag wijzende wijsvinger" aria-label="Emoji: Rug van hand met omlaag wijzende wijsvinger">
5/ There& #39;s nothing inherently wrong with KiwiSwap. The contract is safe & does what it& #39;s supposed to. But there are fatal flaws with the UI/UX. Here& #39;s what it looks like when proposing a trade. Notice how the "verified collection" check is right there on top of the image:
6/ Well, the hacker used that to his advantage. Here are the apes that s27 received in return: https://opensea.io/assets/0xfcf71e369b25428427f166ca619f31a756db49d9/4424
https://opensea.io/assets/0x... href=" https://opensea.io/assets/0xfcf71e369b25428427f166ca619f31a756db49d9/5406
https://opensea.io/assets/0x... href=" https://opensea.io/assets/0xfcf71e369b25428427f166ca619f31a756db49d9/2007
You& #39;ll">https://opensea.io/assets/0x... see that each has the green check added directly to the image.
You& #39;ll">https://opensea.io/assets/0x... see that each has the green check added directly to the image.
7/ The scammer added these checkmarks to knock-off NFTs exclusively to make them appear legitimate on swapkiwi. Furthermore, there& #39;s no immediately apparent way to click through to view the asset or the asset contract, making it unnecessarily burdensome to verify the assets.
8/ @swapkiwi, if you& #39;re reading, these two things are easy to fix. Move the checkmark literally anywhere outside of the image itself, and add links to the asset contract and/or OpenSea page.
9/ So what can you, the tradoooor, do to protect yourself? Well, there are a few things.
- If it sounds too good to be true, it probably is.
- Close your DMs. Negotiate in public.
- Always assume everybody is out to get you. They probably are.
- Independently verify EVERYTHING
- If it sounds too good to be true, it probably is.
- Close your DMs. Negotiate in public.
- Always assume everybody is out to get you. They probably are.
- Independently verify EVERYTHING
10/ "Quit, you just said it was difficult to verify. Wat do?"
In this case, the site doesn& #39;t MAKE it easy, but that doesn& #39;t mean it isn& #39;t so. If you& #39;re proposing a trade, check your partner& #39;s wallet on another site: OS, LR, etherscan...
If you& #39;re receiving a trade, it& #39;s simpler
In this case, the site doesn& #39;t MAKE it easy, but that doesn& #39;t mean it isn& #39;t so. If you& #39;re proposing a trade, check your partner& #39;s wallet on another site: OS, LR, etherscan...
If you& #39;re receiving a trade, it& #39;s simpler
11/ The assets are in the contract already. Navigate to etherscan, and you can see which assets were deposited. This was s27 sending his assets into the swap contract. Check your trade partner& #39;s wallet, and you can easily verify the assets that are up for trade.
12/ This goes for other assets too. I& #39;ve seen similar scams with tokens, where a scammer will submit a picture with the words "20 WETH" on it in place of 20 WETH.
Keep your guard up, always. This space is relentless; only you can protect yourself.
Stay safe out therehttps://abs.twimg.com/emoji/v2/... draggable="false" alt="✌️" title="Overwinningshand" aria-label="Emoji: Overwinningshand">
Keep your guard up, always. This space is relentless; only you can protect yourself.
Stay safe out there
If you enjoyed this thread, consider retweeting the first tweet to help spread awareness.
For your convenience: https://twitter.com/0xQuit/status/1511198290565509120?s=20&t=3qPkk3yBJhAKrhLVVbJw8Q">https://twitter.com/0xQuit/st...
For your convenience: https://twitter.com/0xQuit/status/1511198290565509120?s=20&t=3qPkk3yBJhAKrhLVVbJw8Q">https://twitter.com/0xQuit/st...
. @taylorRichie was scammed in a similar manner a few days back by one "ego.eth" (twitter since deleted), who was using TubbyCat #6382 as his PFP. Here& #39;s is a screenshot from s27 regarding his attacker, which also features the same TubbyCat.
From Taylor: https://caring-grin-87a.notion.site/Scammed-out-of-MAYC-232-a9c09d4e2e3d446bb05656a314c7c5b4">https://caring-grin-87a.notion.site/Scammed-o...
From Taylor: https://caring-grin-87a.notion.site/Scammed-out-of-MAYC-232-a9c09d4e2e3d446bb05656a314c7c5b4">https://caring-grin-87a.notion.site/Scammed-o...
