- Fraudsters are mimicking real NFT holders and selling fake NFTs.
- Study Etherscan and OpenSea to avoid fake contracts.
- The safeTransferFrom function now only emits events with unspecified addresses.
Cygaar gives a warning about a new type of scam that is happening nowadays. People are duped when it is revealed that they are selling fraudulent NFTs to others. It is impossible to define between genuine and defrauding deals. According to OpenSea, users’ addresses are delivering this fraudulent NFT to someone else.
Scammers are becoming more clever. I’m starting to see a new type of scam where it appears that YOUR address is selling NFTs to someone else.— cygaar (@0xCygaar) January 10, 2023
Here’s how the scam works, the 23 lines of code to replicate it, and how to differentiate between fake and legit sales 🧵: pic.twitter.com/YL7q7N37r1
Cygaar also explained how to know the difference between real and false transactions. The very first thing people should realize is that most apps learn about token transfers through a process known as events. In a smart contract deal, events are simply signals that may be published globally. Both OS and Etherscan employ events to detect NFT transfers.
The fraudster creates a false collection and mints large amounts of coins. These tokens are available for purchase on OpenSea. They purchase these tokens with another wallet. The fraud contract’s transfer function then generates false transaction events with multiple addresses.
It’s worth noting that the safeTransferFrom method has been modified to only emit events with arbitrary addresses. Seaport handles transactions using safeTransfer; therefore, changing the behavior will make a Seaport transaction appear genuine.
For ERC721 transactions, there is a Transfer event, and for ERC1155, there are TransferSingle and TransferBatch events. When a token transfer occurs, NFT agreements will typically notify token holders and send out transfer events. The token agreement in the fraud does not really change any inside amounts; instead, it broadcasts a TransferSingle event to fool apps into believing an NFT was sent.
To be rescued from these kinds of frauds, he suggested some advice. Examine the Etherscan information carefully. The Seaport entry data should contain the seller’s address.. Check the OpenSea transaction for the relevant token. While engagement for a particular address can be forged, genuine total sales for an NFT cannot. Study the real contract code. Almost every fraud uses an unconfirmed token contract to conceal what is going on.
The basic rule of thumb is that if users can’t read the code, they shouldn’t trust it. The large majority of individuals click or sign deals since they believe they can buy or sell such NFTs for free cash. Fraudsters really aren’t foolish; in these cases, people will just lose a lot of money.