On Monday, NFT collector Larry Lawliet was the victim of a suspected social engineering attack that resulted in the loss of seven costly Bored Apes and a collection of other NFTs.
The assailant appeared to have duped Lawliet into signing fictitious transactions that gave them access to his NFTs. They then transferred the NFTs to their own wallet using this access.
Lawliet posted on Twitter that the intruder had stolen 13 of his NFTs, including seven Bored Apes, five Mutant Apes, and one Doodle.
Based on the floor price of the NFTs stolen from Lawliet's wallet, his total loss is $2.7 million.
How did it happen?
The victim's problems began when an attacker (presumably the same individual) gained control of another NFT collection named Moschi Mochi's Discord server and made a false announcement regarding an additional mint.
Members of the Moschi Mochi community were invited to take part in an extra mint of 1,000 NFTs for a chance to win a $25,000 raffle.
Lawliet communicated with the bogus mint and sent 0.49 ETH in exchange for 14 of the scam NFTs, according to his wallet address on Etherscan.
Lawliet's transaction history indicates a lot of "set approval" transactions just after the transfer.
When signing these transactions with his own wallet, the victim was duped into using the "setApprovalForAll" method.
The fact that when someone confirms a blockchain transaction using an in-app browser like MetaMask, it's not always evident what permissions they're providing to the website is crucial.
In this case, the victim mistook the transactions for routine ones, when in fact he was handing away control of his own NFTs.
However, MetaMask has a function that allows users to view the exact nature of their transactions before they are executed.
This step is selecting the "details" tab, which provides transaction data, including critical information such as the addresses that have been approved.
Investors may not always check this amid the rush for an NFT mint
The setApprovalForAll contract call permitted the hacker to initiate the "transferFrom" contract call, allowing them to transfer all of the victim's Bored Apes to another wallet.
A call is a programming construct that allows a user to run the code of another contract, in this case the ability to transfer NFTs from the victim to the hacker.
After gaining possession of the victim's NFTs, the attacker began moving them to a second wallet.
The hacker was able to steal the Bored Apes as well as other NFTs such as Mutant Apes and Doodles using this way.