As the new asset protocols and NFT ecosystem are rapidly developing, various new gameplay methods are emerging. How to effectively protect one's own encrypted digital assets has become a new challenge for Web3 users. In the Twitter space NFT new asset chat room jointly hosted by NFTScan and Mint Blockchain, authorities from various fields in the industry, such as imToken, Onekey, SlowMist Technology, and NFTScan, were invited to discuss how to effectively protect encrypted assets and share a series of practical experiences and suggestions in this current trend.

Host: Yuri | NFTScan

Guests:

• Liz | SlowMist Team
• Mako | Market Researcher Lead of imToken
• Niq | Chief Content of OneKey
• Shier | Co-founder of NFTScan Labs

Yuri | host:

According to NFTScan's data, there are approximately 6 million new NFT assets added to the chain every day, with 4000-6000 NFT asset contracts. With the large-scale growth of NFT assets, there have been phishing events induced through NFT metadata, especially on EVM networks and L2 networks such as BNBChain, Polygon, and Base, leading to asset losses. Do the teachers have any strategies to deal with this, and provide advice to dApp developers and Web3 users?

Niq | OneKey:

There are mainly two forms of NFT fraud on the chain. The first is to mass send worthless NFTs to user wallets, with the aim of inducing users to click on these NFTs on platforms like OpenSea, leading them to phishing websites and obtaining user permission signatures. For example, scammers may send NFTs labeled as "locked" and guide users to visit specific websites for unlocking. Once the user signs, they authorize the tokens. The other form is through modifying the contract's "Sleep Minting" or fake Mint, mainly targeting newcomers. This modification makes it appear in someone's wallet transaction records that they have minted an NFT, but in reality, it is inducing users to visit NFT websites containing phishing metadata.

Although some platforms like OpenSea can filter out most scams, some wallets may still display these activities. These scams are consistent in the metadata pattern of transaction records, and developers can easily identify and filter them out through dedicated APIs.

For ordinary users, maintaining basic security awareness is crucial. They should be cautious when dealing with seemingly attractive free airdrops or token links. Understanding that not all Mint actions are spontaneous, many phishing NFTs are generated through fake Mints, so users should remain vigilant and avoid falling into scam traps.

Mako | imToken:

Indeed, Niq has explained this issue very well. These scams, especially inducing users to go to third-party websites for Minting, are widespread. Although we and many wallets and security institutions have done a lot of publicity, these issues still frequently occur in the community. However, many users who have not personally experienced these issues may not pay special attention to security risks.

At imToken, we have cooperated with third-party APIs and established our own filtering rules, but we still receive feedback from users. While security measures are popularized, they are not foolproof, and it is necessary to share and exchange data about scams through community collaboration.

In addition, our market research shows that companies like Simple Hash provide scoring services for NFTs through similar whitelisting methods, although it may not fully comply with the spirit of blockchain. However, I believe that with the development of AI technology, the ability of AI to assist in identifying risks and providing security prompts is gradually improving. In the future, blockchain and AI technology may effectively combine to prevent scams in this aspect.

Shier | NFTScan Labs:

At NFTScan, we have implemented security strategies at the data source level, aiming to filter out junk and risky assets for downstream developers. We have opened API interfaces for B-end developers to allow them to proactively submit information about junk assets observed or received from C-end users. Upon receiving feedback, we conduct security audits and may mark and filter these assets to prevent them from flowing downstream.

We also regularly analyze the issuance and transaction patterns of on-chain assets, identify regularities, and use algorithms for secondary filtering. In addition, the NFTScan browser has added a user feedback entry, allowing users to submit risky or junk assets they have discovered, with the aim of outputting higher-quality assets or eliminating potential security risks through the joint efforts of B-end and C-end.

It is also necessary to remind C-end users that due to the programmability of NFT assets, the information in the Metadata may change at any time. Therefore, extra caution should be exercised when browsing images, videos, or audios involving suspicious links or documents. For advertisements claiming to offer large amounts of U, users should learn to automatically block them, as they are likely phishing activities. This is basically a series of strategies that NFTScan has implemented for the entire on-chain NFT assets to resist induced phishing and mass airdrop spam assets.

Liz | SlowMist:

We all know that Metadata refers to the specific information contained in NFTs, such as name, description, images, and animations, but this information varies due to the nature or creative attributes of NFTs. The flexibility of metadata also brings multiple risks:

Firstly, there is the risk of information misleading or tampering. If the metadata is arbitrarily set by the creator, buyers may suffer losses due to information misleading or tampering. Secondly, if the NFT's metadata is stored in off-chain servers, once the server shuts down or is attacked, the related metadata may be lost, thereby damaging the value of the NFT. Finally, the URI of images or animations may be used to collect users' basic privacy information, leading to privacy infringement.

In the face of these issues, I believe we can take the following measures:

Firstly, when purchasing NFTs, choose well-known, mainstream, and trustworthy platforms. Secondly, we need to enable various security measures, including two-factor authentication, email or phone verification, to increase the protection level of accounts. Although these security measures are important, they are not enough to fully guarantee security.

Therefore, we also need to develop the habit of regularly conducting security checks and system updates to ensure long-term security. Avoid clicking on links of unknown origin, especially those that may request sensitive information.

Yuri | host:

In the past year, many new encrypted asset protocol standards have emerged in the industry, bringing many hotspots and gameplay for issuing new assets, including Inscriptions, BRC20, ERC404, Memecoin, Restaking, and airdrops. Do you have any advice for ordinary Web3 users participating in the process? How to prevent such a security issue?

Niq | OneKey:

Just mentioned were some security issues related to Restaking, especially involving cases of large-scale asset theft. According to the Scam Sniffer report, there have been frequent theft cases involving staked tokens, including several theft cases with an average transaction amount of two million US dollars. These cases usually involve stolen permit signatures and high-risk interactions with contracts or networks that users are unfamiliar with.

In addition, some tools on the market that claim to be able to detect and claim airdrops with one click actually increase the risk of using addresses with large amounts of funds. Therefore, it is important to transfer assets to a secure location before engaging in high-risk transactions and thoroughly revoke all authorizations after the transaction to ensure that all risks have been properly handled. In short, when interacting with unfamiliar tools or projects, it is crucial to take appropriate preventive measures to reduce the risk exposure.

Mako | imToken:

Recently, the topic of not bailing each other out has received special attention, especially in projects like Inscriptions and Solana. When participating in these projects, I usually choose to use a new wallet, and for small projects, I usually do not use a hardware wallet.

However, when dealing with large assets, I choose to use a hardware wallet for activities such as staking. For released MemeCoins, I tend to use small wallets for operations. The main channel for obtaining information is through social media such as Twitter, but it is necessary to be wary of fake accounts, which can easily deceive people.

From experience, one method to judge the credibility of a tweet is to see if people I know are following that account. Regarding revoking authorization, I found that it is cost-effective to directly change the address on Ethereum. Additionally, when participating in MemeCoin or other popular projects, it is important to assess one's capabilities and recognize that market fluctuations are normal, and to take timely profits.

Liz | SlowMist:

Recently, we have received many reports of users' wallet private keys being stolen, once again highlighting the importance of wallet security. As the saying goes, "If it's not your private key, don't disclose it," this is a well-known security principle.

For example, many theft cases occur because users store their private keys or mnemonic phrases in insecure places, such as desktop documents, spreadsheets, or WeChat collections. In addition, some users fail to switch to the correct network when using applications, resulting in assets being mistakenly transferred to other chains. If the wallet or platform does not support the new protocol, assets can easily be lost.

Therefore, before participating in any project, it is important to carefully read the whitepaper, research the project background, and choose projects or platforms that have undergone security audits as much as possible to avoid blind following and resulting losses. While automated tools are convenient, it is crucial to ensure that they are operated correctly to prevent serious consequences from accidental operations.

Shier | NFTScan Labs:

Indeed, for investing or participating in smaller crypto projects, using a dedicated wallet is a very direct and secure approach, especially when the wallet does not need to hold a large amount of funds. Additionally, when browsing official Twitter accounts of large projects, especially those with expected airdrops that have not been issued yet, we at Mint take a preventive measure. For example, at the end of a Twitter event, we will post an image clearly stating that it is the last tweet in the series to prevent phishing scams.

To summarize the points made by the previous three teachers:

• Preventing Phishing Websites: Be especially careful not to fall into phishing websites. Ensure that project information is obtained through official social media or websites, and only enter the official website after confirmation to reduce the risk of phishing.

• Wallet Connection Authorization: When signing operations, carefully review the signature information to ensure understanding of its purpose. This step is crucial and can prevent asset losses due to unauthorized signatures.

• Asset Security: Especially when participating in new protocols, pay attention to safeguarding asset security. It is best to isolate assets and minimize operations on major assets to reduce risks.

• Private Key Management: Serious study and research are required for private key management. Using a hardware wallet is a good choice, such as professional hardware wallets like OneKey and imToken. Also, ensuring that the connected network and wallet are trustworthy is crucial.

Yuri | host:

The last question is, in the dark forest of blockchain, how can we effectively protect the security of encrypted assets? Could the teachers share some lessons and experiences that were learned the hard way?

Shier | NFTScan Labs:

Recently, we encountered a situation where someone impersonated an investment institution and sent us a private message on Twitter, providing a Zoom meeting link. This link required us to authorize using our official social media account. Initially, it seemed unusual, but considering that it might be to confirm our identity, we decided to authorize it. Unfortunately, it was a phishing link, and the attacker used this method to launch an attack in the middle of the night and gain editing permissions for our official account. Our community responded quickly, and we revoked all Twitter authorizations, gaining control of the situation in a timely manner.

Another case occurred during a wave of decentralized liquidity mining frenzy, where a friend accidentally exposed their private key while open-sourcing a script, resulting in the loss of hundreds of thousands of dollars in assets.

These cases emphasize that security incidents can often be prevented, but they often occur due to a lack of vigilance and security awareness. They remind us that we must maintain a high level of vigilance and take strict security measures when making any investments or operations.

Niq | OneKey:

When discussing the "dark forest," it is necessary to mention the recent release by SlowMist of the "Dark Forest Self-Rescue Handbook" v1.2, which proposes the two security principles of zero trust and continuous verification, which are very insightful.

An example I encountered is about an airdrop persona. The team released a tutorial to gain trust and suddenly launched a tutorial with a malicious link, resulting in many people having their private keys stolen. This is not only a technical attack but also exploits interpersonal trust in social engineering. Information exchange and interaction between individuals are crucial.

Therefore, implementing zero trust and continuous verification is crucial. Additionally, avoid operating when in a poor mental state, manage your risk exposure, regularly check the number of tokens authorized to contracts, and ensure that the tokens you hold are not in an unstable project. These strategies are key to addressing risks in the dark forest.

Mako | imToken:

Over time, wallet user education has significantly improved, and users without backup habits have greatly decreased. However, there are still occasionally alarming examples, such as a user's backup being discovered and misused by a family member, indicating a lack of awareness of asset security. Even within the family, certain security measures must be maintained.

A common issue is users downloading fake wallets through search engines, such as a user mistakenly downloading a fake "imToken" app and losing about $150,000. I have also seen people sharing mnemonic phrases on Xiaohongshu, usually out of greed. I tried importing such a mnemonic phrase into an empty wallet and found $100, which was quickly transferred away by an automated script, a typical phishing behavior. Additionally, we discussed custom IPC issues with SlowMist, where many people are asked by scammers to configure specific IPC when trying to claim airdrops, used to steal assets.

These examples emphasize that one should not be greedy or think they are clever. We continue to educate users, but many may only pay attention after an incident occurs.

Liz | SlowMist:

I would like to share some information about phishing events. Based on the stolen information submitted by victims that we receive every day, phishing activities are gradually increasing each month and account for a significant proportion of the reasons for theft.

Blind signature phishing is currently one of the most common types of phishing, using the eth_sign signature method as an example. This is an open signature method that allows signing of any hash for transactions or data signatures. This is difficult for non-technical users to understand and poses a phishing risk. Fortunately, many wallets have begun to provide security prompts to reduce asset losses.

In preventing phishing, users should verify the project's official website before interacting and be vigilant against any malicious signature requests. It is important not to disclose mnemonic phrases or private keys anywhere. Before participating in a project, consider whether the project is anonymous, the team is reputable, the code has undergone security audits, and its quality. Users should prioritize participating in well-known Web3 projects that have undergone multiple security audits, and also pay attention to whether these audits are continuously updated to address new security challenges.

Finally, I would like to remind everyone that our "Blockchain Dark Forest Self-Rescue Handbook" is a valuable resource. I recommend reading it regularly, especially for those who may relax their vigilance due to familiarity. Even if the content may seem basic, reading it regularly can help us avoid common pitfalls.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。