Callisto Network
WebsiteSecurity DepartmentTwitter
  • Whitepaper
    • ๐Ÿ‡ฎ๐Ÿ‡นWhitepaper (ITA)
    • ๐Ÿ‡ฎ๐Ÿ‡ณWhitepaper (TELUGU)
    • ๐Ÿ‡ฎ๐Ÿ‡ณWhitepaper (HINDI)
    • ๐Ÿ‡จ๐Ÿ‡ณWhitepaper (CN Traditional)
    • ๐Ÿ‡ญ๐Ÿ‡ฐWhitepaper (CN Simplified)
    • ๐Ÿ‡ซ๐Ÿ‡ทWhitepaper (FR)
    • ๐Ÿ‡ต๐Ÿ‡ญWhitepaper (PH)
  • ๐Ÿ“ŒStrategic Plan
  • Callisto Network Vision
  • ๐Ÿš€Callisto Network Progress Tracker
  • ๐Ÿ—“๏ธEcosystem Reports
    • Callisto Monthly - February 2023
    • Callisto Monthly - January 2023
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - January 2023 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - January 2023 (FR)
      • ๐Ÿ‡ฎ๐Ÿ‡ณCallisto Monthly - January 2023 (TELUGU)
    • Callisto Monthly - December 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - December 2022 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - December 2022 (FR)
      • ๐Ÿ‡ต๐Ÿ‡ญCallisto Monthly - December 2022 (PHI)
    • Callisto Monthly - November 2022
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - November 2022 (FR)
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - November 2022 (ITA)
      • ๐Ÿ‡ฎ๐Ÿ‡ณCallisto Monthly - November 2022 (TELEGU)
    • Callisto Monthly - October 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - October 2022 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - October 2022 (FR)
      • ๐Ÿ‡ต๐Ÿ‡ญCallisto Monthly - October 2022 (PHI)
      • ๐Ÿ‡จ๐Ÿ‡ณCallisto Monthly - October 2022 (CN Simplified)
      • ๐Ÿ‡ญ๐Ÿ‡ฐCallisto Monthly - October 2022 (CN Traditional)
      • ๐Ÿ‡ท๐Ÿ‡บMonthly - October 2022 (RU)
    • Callisto Monthly - September 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - September 2022 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - September 2022 (FR)
      • ๐Ÿ‡ต๐Ÿ‡ญCallisto Monthly - September 2022 (PHI)
      • ๐Ÿ‡จ๐Ÿ‡ณCallisto Monthly - September 2022 (CN Simplified)
      • ๐Ÿ‡ญ๐Ÿ‡ฐCallisto Monthly - September 2022 (CN Traditional)
    • Callisto Monthly - August 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - August 2022 (ITA)
      • ๐Ÿ‡ซ๐Ÿ‡ทCallisto Monthly - August 2022 (FR)
      • ๐Ÿ‡ต๐Ÿ‡ญCallisto Monthly - August 2022 (PH)
    • Callisto Monthly - July 2022
      • ๐Ÿ‡ฎ๐Ÿ‡นCallisto Monthly - July 2022 (ITA)
    • Callisto Monthly - June 2022
    • Callisto Monthly - May 2022
    • Callisto Monthly - April 2022
    • Callisto Monthly - March 2022
  • Technologies
    • ๐Ÿ“ˆCallisto Dynamic Monetary Policy
      • Crypto-models To Overcome Inflation and Callisto Network's Approach
      • Skuld Hard Fork - Update On Progress
    • ๐ŸงŠCold Staking
      • Cold Staking And PoS Staking Comparison
    • ๐Ÿช™Wrapped Callisto (ccCLO)
    • ยฎ๏ธDexNS 2021
    • โ›๏ธProof of Work
      • ZPoW #1 - Exploiting The Block Time & Block Size
      • Callisto Network Introduces the Dynamic Gas Price
    • โ“‚๏ธCallisto Network Masternodes
    • ๐ŸŽ“Tutorials
      • Setting Up Metamask For Callisto Network
        • Update the RPC URL in MetaMask
      • How to buy Callisto with Your Credit Card
      • How to Run a Callisto Network Node?
      • Callisto Network Masternodes Set-up
    • ๐ŸŒCallisto Hub
    • ๐ŸงฉWeb 3.0 Infrastructure
    • ๐Ÿ”Chain Inspector
  • We Fund You!
    • ๐Ÿ’ฒWe Fund You!
      • We Fund You Award - 1st Edition
  • Security Department
    • ๐Ÿ”Auditing Department
      • Auditing Department Amendment v5
    • ๐Ÿ“–Documentation
      • ๐Ÿ›ก๏ธSecurity Department Best Practices
      • ๐Ÿช™ERC 223 Token Standard
        • ERC20 Standard Main Issue
      • ๐Ÿ–ผ๏ธCallistoNFT Standard
        • Roadmap
      • โœ–๏ธCross-Chain Bridges Security Model
    • Products & Services
      • ๐Ÿ”Security Audits For Smart Contracts
        • Mission: Securing The Smart Contracts Ecosystem
        • Trust and Smart Contracts: Code is the Limit
    • ๐ŸคVarious Contributions
      • Ethereum Classic
        • ECIP-1092 51attack solution: PirlGuard & Callisto proposal
      • Ethereum
        • Statement regarding Geth v1.10.8 split
      • EOS
        • Page 1Chintai (EOS resource exchange) low severity issue.
        • EOS congestion 9/13/2019 and EOSPlay hack
      • Ultimate solution to 51% attacks: amend the Nakamoto consensus
  • Hack Investigation Dept.
    • Hack Investigation Department
    • Helio Exploit
    • Binance Bridge Hack
    • TempleDAO's STAX Contract Hack Investigation
    • NFT Theft Analysis
    • AUDIUS Governance System Exploit Overview
    • LUNA โ€˜Hardforkโ€™ Review
  • One Earth, One Heart
    • ๐ŸŒŽOne Earth, One Heart
    • ๐Ÿ’šCallisto Charity Efforts
  • Community
    • ๐Ÿ“ฅCallisto Network Improvement Proposals
    • ๐Ÿ’ฌCallisto AMAs
      • Callisto Team's Ask Me Anything on 04/05/2023
      • Callisto Team's Ask Me Anything on 03/03/2023
      • Callisto Team's Welcome AMA on 10/11/2022
      • Callisto Team's Ask Me Anything on 10/10/2022
      • Callisto Security Team's Ask Me Anything on 02/09/2022
      • Callisto Team's Ask Me Anything on 28/07/2022
      • Dexaran's Ask Me Anything on 11/04/2022
    • ๐Ÿ“ŒGet Started
  • Callisto Enterprise
    • ๐Ÿช™Callisto Enterprise Token
      • Vision and Tokenomics
    • ๐Ÿ‘ฅTeam
      • Callisto Team Motivation System
  • In The Press
    • ๐ŸŸขCallisto Network
      • Ethereum, Ethereum Classic, Callisto Network, A Common History
      • Callisto Network: Three Years After Mainnet Launch
      • Czech Ethereum Killer
    • ๐Ÿ–ผ๏ธNFTs
      • Artist Creates And Then Destroys Art To Launch CallistoNFT
      • Security Network Develops New NFT Standard To Address ERC-721 Flaws
  • Miscellaneous
    • ๐ŸงฉMedia Kit
Powered by GitBook
On this page
  • 1. Premint platform hack
  • What happened?
  • What failed?
  • Possible causes
  • Conclusions
  • 2. OpenSea phishing attack
  • What happened?
  • What failed?
  • Conclusions
  • 3. Bored Ape Instagram hack
  • What happened?
  • What failed?
  • Possible causes
  • Conclusions
  • 4. Bored Fred kidnapping
  • What happened?
  • What failed?
  • General conclusions on NFT infrastructure security
  1. Hack Investigation Dept.

NFT Theft Analysis

PreviousTempleDAO's STAX Contract Hack InvestigationNextAUDIUS Governance System Exploit Overview

Last updated 2 years ago

In this article Iโ€™d like to provide some data regarding the recent NFT thefts. The original data is provided by Decrypt. Analysis is provided by .

1. Premint platform hack

What happened?

On July 17 2022 the hackers compromised the Premint website and caused a malicious pop-up to be displayed to Premint users. The message in the pop-up tricked users into sending funds to the hackers address masquerading it as a โ€œsecurity measureโ€.

As the result 320 NFTs were stolen. At the moment of writing hackers sold 302 NFTs and kept another 18.

What failed?

Backend security model of the Premint platform.

Possible causes

  • Human factor / internal privileges exploitation. Premint team member with sufficient privileges could deploy the malicious code intentionally.

  • Backend security model flaws.

  • Error on service provider side. Human factor exploit or security model flaw could happen on the side of service provider that Premint was using.

Conclusions

  • Users could avoid losing their funds in this hack by simply not providing their sensitive data to the malicious pop-up. If something looks like a service is acting as if it wanted to steal your funds โ€” it may be true.

2. OpenSea phishing attack

What happened?

It is assumed that someone created a phishing copy of the OpenSea marketplace service that tricked users into sending Ether and NFTs to the hackers address.

We donโ€™t know where this happened exactly.

What failed?

This is a mistake on the userโ€™s side. Someone created and promoted a version of the web page that was then used by confused NFT owners. This could not be prevented by the OpenSea team.

Conclusions

  • Users could avoid losing their funds by paying more attention to (1) what services they use and (2) what these services are going to do with their funds.

  • Transaction should include a description of what actions it is intended to trigger and users must be allowed to verify the exact destination of the transaction.

3. Bored Ape Instagram hack

What happened?

On April 25 2022 a hacker compromised the official Bored Ape Yacht Club Instagram account and shared a malicious link to the web page. The web page promised users to airdrop virtual land in the upcoming metaverse but requested them to sign a transfer of their funds instead.

As the result 91 NFT evaluated at roughly $2,800,000 were drained from users.

What failed?

Social media management security model.

Possible causes

  • Human factor / internal privileges exploitation. Any person in charge of the official Instagram account could intentionally share a malicious link.

  • Human failure. A person in charge of official Instagram account could unintentionally compromise the account.

  • Failure on Instagram side. Human-factor errors also apply to the Instagram platform as well.

Conclusions

  • As always, users could avoid being scammed by not following the announcement and not giving their NFTs to the hackers.

  • Transaction info should have been verified prior to signing.

4. Bored Fred kidnapping

What happened?

What failed?

  • This is a mistake on the userโ€™s side.

  • Ethereum account management mistake โ€” Seth Green should have separated his โ€œhot walletโ€ that was used to pay for interactions and โ€œstorage walletโ€ that actually held his most valuable assets.

General conclusions on NFT infrastructure security

  • It is evident that in most cases NFT hacks do not involve any exploits in the NFT smart-contracts โ€” unlike ERC20 that could potentially harm users on their own ERC721 standard is a step forwards security-wise.

  • In most cases security issues appear on the side of third party services or user interfaces.

  • It is incredibly important to understand that nothing is perfectly secure. Official accounts are prone to hacks. Teams of people are prone to bribery, corruption and greed. Secure applications must be designed with this in mind and communities of must be informed that every interaction must be verified.

  • The main target for the attackers is third party service providers / infrastructure applications.

On February 19 2022 a number of addresses transferred their ETH and NFTs to (labeled as phishing by Etherscan now). According to their feedbacks this was unintentional.

Actor and producer Seth Green purchased โ€˜Bored Ape Yacht Club #8398โ€™ NFT which granted him the rights to use a cartoonish character displayed on this NFT. He called this character .

Unfortunately Fred NFT was stolen from Seth Green and thus the actor lost his intellectual property rights. The NFT () from the hacker. In order to reclaim the rights to use Fred Seth Green purchased the NFT again for $300,000.

Source:

Seth Green over 4 of his NFTs while trying to mint a new collection using a fake site.

this address
Fred Simian
was bought by the collector
DarkWing84
https://www.buzzfeednews.com/article/sarahemerson/seth-green-bored-ape-stolen-tv-show
lost control
Callisto Security Department
300+ NFTs Stolen, $400K in Ethereum Taken In Premint Hack - DecryptDecrypt
$1.7 Million NFT Phishing Attack 'Did Not Originate' on OpenSea, Says CEO - DecryptDecrypt
Bored Ape Yacht Club Instagram Hacked, $2.8M in Ethereum NFTs Stolen - DecryptDecrypt
Seth Green Pays $300K to Recover His Stolen Bored Ape Ethereum NFT - DecryptDecrypt
Logo
Logo
Logo
Logo