Simple Steps How To Not Get Phished in Crypto

•

Do you know how to protect yourself from phishing that caused many people to lose their precious NFTs? Bad actors invent more and more sophisticated ways to take your JPEGs but they usually rely on the same exploit vector. This thread is a simple guide how to not get phished.

Many NFT holders had their JPEGs stolen. More advanced crypto users used to make fun of them, thinking they were immune to simple phishing tactics that only "noobs" could fall for. But last week even Uniswap V3 liquidity positions (also NFTs) were stolen in the same way.

Many exploits had nothing to do with the most obvious way of seizing victim's assets, i.e. capturing their Secret Recovery Phrase (Seed). People are smarter now and don't share their Seed with "customer service" on Telegram and Discord. But they are still subjects to exploits.

To understand how these exploits work, you need to get familiar with the concept of "approval" on Ethereum and other EVM chains. If you already know it, scroll down to the tweet commencing with: [Part II: Practice].

[Part I: Theory] Having custody of your own assets without the need to trust anyone is the essence of the blockchain. If you have fungible (ERC20s) or non-fungible (NFTs) tokens in your wallet, nobody can take them from you... ...unless you let them do so (approve).

Approval is an act of granting a permission to a third party to access your funds. Without approvals smart contracts can't spend assets in your wallet - you can't sell ERC20s on Uniswap or list NFTs on Opensea. Let's dive deeper into how approvals work.

ERC20s You approve a contract to access amount X of token TKN. - The approved contract can take X of TKN from your wallet any time. - It doesn't matter if you have hardware wallet or not. - X of TKN is approved until X is spent by the contract or you revoke the approval.

NFTs You approve a contract to access all the items in collection CLN. - The approved contract can take all the items in CLN from your wallet any time. - It doesn't matter if you have hardware wallet or not. - CLN is approved until you revoke the approval.

Approvals are necessary to interact with smart contracts on the blockchain. But they are also dangerous. Many exploits are actually pretty simple - an unaware victim approves a malicious contract which takes the approved ERC20s / NFTs from a victim's wallet. How to avoid it?

[Part II: Practice] Most users on Ethereum and other EVM chains use Metamask so I will use this wallet to demonstrate how to protect your assets from getting stolen. We will focus on approvals for ERC20s and NFTs so that you will never approve a malicious contract in future.

ERC20s Let's say you want to sell $APE on Uniswap. The first step is an approval - see Metamask popup below. It explains well what you are doing - giving permission to a contract to access your APE. But it does very little to protect you from phishing... What should you do?

1. Check the contract you are approving What if the front-end got hacked? Or you are on a phishing website? You could be tricked into approving a malicious contract that would seize your tokens. Check the contract on Etherscan - they have useful labels.

2. Check the token you are approving Imagine a compromised website triggers an approval for WETH instead of valueless token that was airdropped to you. This could drain your wallet out of WETH! Read Metamask popups carefully.

3. Check the approval limit Most dapps request an ulimited approval for a token. If the approved contract gets into malicious hands in future, it can take all the approved tokens from your wallet. Check and edit Approval Limit before sending a transaction.

4. Revoke unnecessary approvals If you no longer plan to interact with a contract, revoke its permission to access your tokens. Some contracts are safe but unless you know how to read them, it's better to be safe than sorry. Use etherscan.io/tokenapprovalchecker to revoke approvals.

These are simple steps to maintain high security level when it comes to your ERC20s. Unfortunately, it's a bit less user-friendly with NFTs which is one of the reasons why most approval exploits target NFT holders.

NFTs Let's say you want to list your NFT on OpenSea. The first step is an approval - see Metamask popup below. Unlike for ERC20s, it's very enigmatic here - hard to know what you are doing. To keep your JPEGs secure you need to stay alert and follow the below guidelines.

1. Check the address you are approving If you approve a malicious contract, all your NFTs from the approved collection can be taken from your wallet instantly. Make sure you trust the contract. Go to Etherscan and check the labels to understand what it is.

2. Save trusted addresses in Metamask Metamask gives you an option to add nicknames for addresses. Once saved, they will be displayed on the popups instead of 0x strings so you will immediately know what address you are interacting with. Add nicknames to avoid getting phished.

3. Check the collection you are approving Make sure you are not tricked into approving a collection you wouldn't like to approve. This may be an attempt to steal your precious JPEGs while you are not paying close attention. Go to Data tab and check the collection on Etherscan.

4. Revoke unnecessary approvals Revoking approvals for NFTs is less common than for ERC20s but the risks are the same. Therefore, if you don't plan to interact with a contract in future, remove its permission to access your NFTs. Use etherscan.io/tokenapprovalchecker to revoke approvals.

Follow these simple steps and you will avoid a lot of phishing traps set by bad actors. Many exploits in crypto don't involve any hacking. They just take advantage of your inattentiveness when you interact with smart contracts. Pay attention to approvals and win by not losing.