SolNFTMinting Solana Auto-Approve Theft Whiskeytango99
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
"i am a seasoned to crypto i have multiple ledgers and understand how crypto works , honestly i got cocky, i was moving fast had multiple screens open , and thought it was official based on what i saw on YouTube"
The SolNFTMinting website was particularly plain. It had only a title "SOL NFT", the text "(presale)", and a counter of NFT's which were left, which claimed 112/1500 NFTs were left.
There are a large number of fraudulent websites which have scammed users in the past. A common tactic is to request approvals to transfer funds from the visitor's wallet.
Whiskeytango99 attempted to mint on of the Solana NFTs on the SOL NFT website. They didn't confirm anything, however the auto-approve setting was enabled on their wallet.
|December 21st, 2021 7:39:01 PM MST||Reddit Post||Whiskeytango99 posted the incident on Reddit. It reportedly happened at least a few hours earlier.|
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
A key part of this process was the auto-approve function. This function removes the need to confirm transactions and is intended to only be enabled on trusted websites. (TBC)
Total Amount Lost
204 sol 178.411 x 204 = 36395.844 or $36k.
The total amount lost has been estimated at $36,000 USD.
Whiskeytango99 posted about the incident on Reddit.
Reddit Post About Incident Made
"I went to a site https://solnftminting.com/mint/ ( be-careful do not connect !!)
connected my wallet but didnt mint anything , check my wallet a few hours later and had 204 sol sent out of my wallet to another address?
What did i do wrong how did this happen , i am pretty sure im screwed , but is there anything that can be done ??"
"yeah thats exactly what it was the auto approve , read about it later and turned it off , after the fact though"
Reddit Community Reactions
Trace the transactions And see how hat happened .
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Individual Prevention Policies
The Solana NFT Minting smart contract had not been audited, and it appears it simply requested full access to the wallet of the visitor. Great care is needed when interacting with decentralized smart contract, to ensure that you are dealing with properly audited smart contracts, and providing the minimum possible level of permissions for the task you need to accomplish.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Funds can be better secured by storing them offline in a cold storage wallet.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
This incident can be prevented through more education (especially about the auto-approve feature). An industry insurance fund can assist affected users.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
This incident can be prevented through more education (especially about the auto-approve feature). Having standard public reviews of platforms and making those available can allow users to know which platforms are safer. An industry insurance fund can be available to assist affected users.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
- Whiskeytango99 - "i am a seasoned to crypto i have multiple ledgers and understand how crypto works , honestly i got cocky, i was moving fast had multiple screens open , and thought it was official based on what i saw on YouTube , yeah very stupid i know ," - Reddit (Jun 5, 2023)
- SOL NFT Homepage Archive December 22nd, 2021 5:27:20 PM MST (Jun 22, 2023)
- WhiskyTango99 - Sol Stolen out of Wallet - Solana Reddit (Jun 4, 2023)
- Solana Historical Data - Investing.com Canada (Jun 22, 2023)
- Tradegrow - "Trace the transactions And see how hat happened ." - Reddit (Oct 3, 2022)