This was a multi-week long social engineering scam targeted at Thomas. Thomas has a Discord for a drone transportation startup, and the scammers proceeded to embed themselves in the community and provide valuable labor such as web design and graphics design in order to earn his trust.
Thomas's wallet is public and advertised on Twitter via his ENS domain. He had $100M+ in aETH, a derivative token provided by Aave when you lend out your assets for interest. The aETH is redeemable for the underlying asset.
The scammers created a fake NFT project associated with space and drones, and proceeded to give Thomas a free one, but asked that he stake it (or deposit it into a smart contract), to earn yield in the form of Armstrong ETH, a token they made up that had the same acronym as Aave's (aETH).
The catch was that when he went to stake his NFT, they asked for an approval for spending aETH from his wallet. Approvals such as this are normal when interacting with smart contracts, since the contract has to be "delegated" responsibility over the tokens in order to move them. However, what wasn't normal is that the approval was actually for Aave ETH.
If he had only looked at the front end of the scam site, it wasn't obvious what was going on. However, a quick glance at Etherscan revealed that he had signed off on an unlimited spend approval for Aave ETH.
Luckily, he had done so on a fresh wallet and not his main wallet that has $100M in aETH. When the scammers tried to get him to stake a second NFT from his main account, he got suspicious and discovered the truth.
This scam was specifically targeted at Thomas, and orchestrated over multiple weeks, for the specific assets in his primary wallet.
Couple takeaways:
- divide your assets across multiple wallets. New wallets are free. Don't put all your eggs in one basket.
- use a hardware wallet or an audited battle tested smart contract such as Gnosis Safe for storing significant sums of money.
- always verify your transactions
- avoid associating your public identity with your main wallet / vault address
- be careful, scammers are getting more creative and advanced in technique including standing up professional front end websites to give the appearance of legitimacy
I'm surprised anyone reading this story wouldn't conclude that the real takeaway is to just not engage with cryptocurrency at all. This ecosystem is so convoluted it just turns me off at every level.
I’m curious, does anyone know Thomas, or how did they amass 100M in ETH? The websites provide absolutely no identity of anyone involved (as is very common for crypto). The Twitter account is 4 months old.
No mention of the person or the Arrow company on the internet previous to this episode seems to exist. Other than looking at the chain records, how should we believe that any of these stories are true?
There's a more general takeaway, and it's one every developer discovers for themselves, sooner or later:
- People don't read what's in front of them.
I've seen this emerge in a vast array of fields. No matter how much we highlight specific details, for all our efforts in red-flagging irreversible actions, folks will often blitz past a confirmation dialog, nag screen, or notification message, without internalising the details or the risks. For those in financial technology, as in this specific example, irreversible actions also extend the attack surface for fraud.
Even the brightest minds can be lazy (some might even say it's a feature, not a bug) and one should never rely upon the opposite. We consequently face a design choice, for all irreversible (or hard-to-reverse) actions, the most common options being:
a) allow a grace period;
b) redesign, if possible, to make it user-reversible;
c) build a forcing function for diligence[1]; or
d) expect support tickets about that feature.
The default is (d), and the helpdesk won't thank us, since the workload generally scales linearly with growth at a high opportunity cost.
I like the takeaways, though I'd also add an additional one, that you should use systems that have reversible transactions. That way, when you fall victim to fraud, you can use the court system to recover your losses.
> when he went to stake his NFT, they asked for an approval for spending aETH from his wallet. Approvals such as this are normal when interacting with smart contracts, since the contract has to be "delegated" responsibility over the tokens in order to move them. However, what wasn't normal is that the approval was actually for Aave ETH.
I'm a reasonably technical dude (senior data engineer at GAMMA/FAANG/whatever we're deciding to use nowadays), yet I don't have a damn clue what this means. And that's not an indictment of your communication. How on earth could I expect my wife, my brother, my parents, my kids, any of my friends, etc., to understand this?
On the other hand, all these people understand the concepts of bank accounts, credit cards, fiat currency, etc.
I'm open to learning more and having my views changed, but I'm so far convinced that there's absolutely nothing about crypto that is a simple, reliable, demonstrably real solution to a problem that isn't already handled by our current financial instruments.
Does Thomas actually have $100M of assets in a single wallet? Or is it spread out over, say, ten wallets?
I’m interested to know whether the con artists could have realistically nabbed $100M, or if there was effectively never any chance of that due to other precautions. I would hope it’s the latter, but crypto’s strangeness stopped surprising me.
Fabulous comment, by the way. Easily one of the top ten in the last month. Thank you for the breakdown.
For somebody with $100M+ I find it strange how excited Thomas got about the prospect of some strangers setting up a meeting with some random founders. With that much money would it be that difficult for Thomas to set up a meeting with them on his own?
To be honest, if they got this close, it’s only a matter of time before they take it all. He should strongly consider cashing out and leaving only an amount he is willing to lose in ETH.
Hell, given my distaste for crypto, if I were more unethical I may even attempt such scams, but I’d balance it out by donating the stolen money to environmental initiatives to combat global warming (after giving myself some fair compensation, I don’t have the skills to get away with hiding $100+ million).
"The catch was that when he went to stake his NFT, they asked for an approval for spending aETH from his wallet. Approvals such as this are normal when interacting with smart contracts, since the contract has to be "delegated" responsibility over the tokens in order to move them." - this is a bit surprising - I thought the way to let a contract move tokens was just to send them to it? Approving a contract to move everything from a wallet works like sending everything from the wallet to the contract - it omits the step where you choose the amount that you trust the contract with, why is this the 'normal' way?
> scammers are getting more creative and advanced in technique including standing up professional front end websites to give the appearance of legitimacy
It seems like this is becoming the minimum standard for scam operations. For example, there is currently a BTC phishing scam going around that tries to convince the user they've accidentally received an email meant for someone else, which just happens to include a link to a million dollars worth of BTC. The website looks legitimate, albeit amateurish, to the point that it could even be convincing to another web developer. The rest of it is much like the OP's scam.
It starts with an email from the hacked account of a real bank manager in an Italian town, and is addressed to a real self-proclaimed stock market "guru" from the UK, now living in the US. The email states that 19 BTC has been deposited into an account that was created for them on a site called Coinlux, and they provide the username and password for the account. The Coinlux name was even used by an actual company at one point, so searching for any of the names or details surrounding the scam generates very real and convincing results.
Upon visiting the page, you're presented with a moderately professional-ish looking site that asks which fiat currency you want to use and lets you login. You're then prompted to enter a phone number to "secure the account" which, surprisingly, initiates an actual phone call from a number in the UK using a Twilio-like service. After confirming the verification number, you're allowed to view the account, which has some realistic dummy transactions in the history and other features that make the site somewhat believable (it even has a fake chat system and working account recovery).
After initiating a withdrawal of any amount, it provides a warning that you should make a small test transaction first (of 0.0001/$4), to ensure that you're sending to the correct BTC address -- after all, you wouldn't want to send 19 BTC to the wrong place and lose it all. It takes much longer than a normal transaction (likely because the scammers are manually initiating them), but it does eventually go through, and they've now succeeded in convincing the user that there is real BTC in the account and you can actually withdraw it.
However, if you try to make a larger withdrawal (or a second one at all), you're now presented with an error stating that you're not withdrawing enough, because of a "minimum withdrawal amount" defined when the account was created. This minimum amount happens to be 19.01 BTC, or 0.01 more than is in the actual account currently. So you've successfully withdrawn ~$4, but you have to deposit ~$400 if you want to access the entire 19 BTC.
As if it weren't obvious enough at this point, checking the address[1] which sent the 0.0001 makes the entire scam plain as day. This means that anyone with any amount of tech knowledge is probably not susceptible to the scam, though I do think that certain personality types could get caught up in the excitement of potentially "stealing" a million dollars. On the other side, non-techies will likely fall for this in droves, and the transaction history on that address does show there have already been successful victims -- though this particular person's scam has been massively unsuccessful so far, and they may actually be in the red overall.
Thomas also mentioned in the thread that it seems "Space Falcon" is a real NFT project. The actual domain ends in .io though, and somehow the scammers managed to acquire the .com domain and I'd imagine they'd then only need to replicate the frontend UI instead of coming up with an all-new one. Still very sophisticated for sure.
I can get behind cryptocurrency and stuff, but the idea that anyone can write a contract that says "I get to do what I want with your money" and then build their own custom, one of a kind UI with no way to limit what the user thinks the button does for you to sign such a transaction, it's got to be the biggest, most massive security hole I've ever seen brushed off. You want me to put the title to my house on it? You want code to be law?
This shit isn't ready for the mainstream, and some of these architectural decisions are indicative of engineers who are in over their heads (but that's almost all code nowadays, even mine).
They build a mechanism that enables me, at the click of a button, to give away control of my fortune, and they designed the system so that anyone can design whatever interface they like to get you to sign any transaction they like. It's laughable. I'm in disbelief. And this is web3? No thanks, I think I'll stick with bitcoin or whatever, keep it simple. At least I can tell what a bitcoin transaction does without having to learn a programming language.
> it's got to be the biggest, most massive security hole I've ever seen brushed off.
Well said. This goes hand-in-hand with the victim blaming that goes on in cryptocurrency circles. Any time a story like this appears, defenders come out of the woodwork to insist that it's the victim's fault for doing something or not doing something else. Even the linked Twitter thread is full of replies from people suggesting that the author was "asking for it".
Crypto seems to appeal to people who like to think that they are smarter than the average person and therefore will succeed by self-managing their finances right down to the private keys. Adding smart contracts to the mix basically opens up a can of worms that makes it unrealistic to actually control every detail of your money unless you strictly limit each contract to a separate wallet and only transfer funds into that wallet before activating the contract. That's honestly a good strategy if you're sitting on $100mm+ in cryptocurrency and the transaction fees are negligible (as was the case with the Twitter user). However, when transaction fees are $10/each or more, the average crypto user isn't actually doing anything of the sort. They're clicking the buttons and hoping for the best.
This isn’t how it works. With ERC20 you “approve” tokens. That allows the specific contract you approve to spend up to a specific tokens at that specific address. Things that a random smart contract cannot do:
1) Spend more tokens than the amount you approved.
2) Spend any other tokens besides the specific type that you approved. (E.g. can’t steal your NFT or USDC)
3) Spend tokens at any other wallet address even if you own those other addresses (and creating a new address for a specific purpose is trivially easy)
In addition the only approve() technology is already being replaced with the modern EIP-2612 standard. (USDC already implements it.) In this workflow instead of pre-approving a contract, you sign a specific transaction-specific message. With EIP-2612 you know exactly how much you’re spending on each transaction and there’s zero after the fact risk.
Haha, I was never on board with crypto and this is far worse. It's like fast tracking the usual crypto scam.
Also this guy seems rather green in term of internet scams,
> Scammers are getting smarter. Before now, the best scam I've really encountered is basically "hi this is tech support please share your private key so we can help"
When it comes to code, we’re all in over our heads. I can reason about significantly more complexity than most developers I know and it’s still laughable how little complexity I can manage.
When I heard about Ethereum this was my exact fear. Programmable money sounds like a terrible idea from the perspective of business owner. Does this mean I have to check every transaction I enter to run arbitrary code with full access to my wallet? That is of course assuming the code isn't able to break out of any other protections there might be and pay for the ETH I'm getting with my data.
Yeah. And to take it one level further, a language that let's you lock up / burn a coin in any fashion other than a very explicit Burn() command is equally reckless. The platform needs to provide guardrails for developers too.
Think of all the scams happening over TCP/IP every day! They built this thing where anyone can pretend to be a bank website? No checks or security? It's laughable. I'm in disbelief. And this is the web?
This was an absolutely fascinating and chilling story.
The thing that struck me about it is the scam didn't work for a few reasons:
1. He typically had a practice of not using his main wallet for things like this.
2. He got wary and actually read the smart contracts.
This is a level of technical competence required that's going to mean most people have to offload this to a trusted intermediary. And then what's the point of all the decentralization ideology? Because we just re-invented banks.
>And then what's the point of all the decentralization ideology? Because we just re-invented banks.
There's nothing wrong with centralized services built on a decentralized network. Take a look at the web. Sure you can use a centralized service like facebook to make a facebook page, but if you want you can host your own website.
The purpose of decentralization is solely censorship resistance. It has nothing to do with consumer protections, consumer education, or easier to check software.
"She tells me a bit about her metaverse project, Space Falcon. I'm not really sold on it, but I'm not really an NFT person so I didn't have any reason to think it was a bad idea either.[...] It seems kind of like a get-rich-quick scheme, but again, that's kind of how I see a lot of NFTs. With all that she's doing for Arrow, there's no harm in showing a little support."
The real takeaway from this is that it's dangerous to break your moral compass and sense of reality to the point where you think helping out people who are pushing an obviously fraudulent business, is ok and normal.
Yeah it's pretty ironic that a "legitimate" NFT venture and a project invented solely for social engineering are indistinguishable even for someone who presumably knows a lot about the crypto space.
Sure, NFTs and crypto in general may be get rich schemes at the core, but a lot of people do believe in them, so a charitable view would be that HE saw it as a scheme, but he thought that perhaps SHE believed in it.
And FWIW I'm not sure "fraudulent" is the right word. NFTs are not a fraud, you usually get what you pay for, a mediocre jpeg, and perhaps a really primitive game.
And to be fair, what are the odds his VTOL company will ever produce anything either?
I don't see it that way at all. The NFT vector is arbitrary. The point was to drain his accounts and nothing more. If a less suspicious method was available, I'm sure the scammers would have taken that one.
So I don't know anything about crypto, but stories like this make me think that crypto can never become mainstream. I have been programming since 1970; I worked for major computer companies; I was a computer science professor; I have apps on the App Store. In spite of all of this, I have not the foggiest idea, even after reading the thread, how someone who offers to give me something can use the gift to steal from me. Surely this says that the world at least of ETH (whatever that is) is really really broken!
Note; dude has $123M in aave wrapped ethereum that he almost granted a scammer access to.
Scammers ripping off scammers.
Why would you waste time with open source aircrafts. Aircrafts are a regulated thing. Nobody wants to fly in your science project. Put some of that 123 million into starting an actual company. DAOs are bullshit.
I still fail to understand how the smart contract metaphor of "here is some obfuscated code from a third party, please give it access to all your money, kthx" has managed to survive at all. I mean, really, no one saw this coming?
It's just the Trust Problem all over again. Decentralized reliance on automatic software still requires trust that the authors of the software won't scam you. It all comes down to trust. And I trust banks, mostly. Who in their right mind trusts contracts someone sends you on Discord? And yet...
These scammers went to impressive lengths. They say that often the secret of a magic trick is to put in far more prep work than anyone thinks is reasonable. Con games work the same way. In this case, the effort is worth since the target has something like $175 million in a wallet. The payoff is massive.
Worth noting, though, that for all the fancy footwork the point of failure for the scam is him being willing to work with his main wallet rather than a one-off, and when he showed hesitation, they got too impatient. Good security practices were still the answer.
A good rule of thumb is if somebody you've just met introduces you to someone with an exciting new NFT project that they want your help testing, you're probably being scammed.
While NFTs probably have some useful purpose that will emerge eventually, for now you should consider any proposal or offer that involves the term 'NFT' as having about the same value as any offer involving the term 'Nigerian prince'.
> The aWETH that I approved was not Armstrong ETH, but rather Aave's aWETH. On my main address, almost all of my ETH is sitting in Aave...
Just one example, but this entire thread is Greek to me. What the hell is “staking an NFT”? I am feeling so left behind by this crypto nonsense. Is this what getting old is like? (I’m not yet old)
Generalizing, anytime someone is giving you a “gift” but is putting expectations on how you receive it (in this case the wallet destination) that should be a huge red flag.
I don't understand why in the world Thomas wouldn't directly communicate via phone and video chat to any of these people first before doing serious business and potentially traveling across the country for random anonymous folks on Discord.
Social engineering is so much easier when you engage in faceless, voiceless communication. This could've been shut down so much more easily if they put a real human being to match the messages. When things actually matter, I need more than just a Discord avatar and a handle to identify someone.
This highlights how scary it is to interface your savings with these “smart contracts”. Most people have no way to know what they’re actually going to do; the tiny slice of people capable of investigating can hardly remain vigilant at all times. Like, if you ask me to log into something with my bank account, all alarm bells would go off; if you ask me to stake this, approve that with my eth wallet, well, just another weird smart contract thing, right?
Scammers ripping each other offer on discord. Today it’s apes, next week it will be houses. I can’t believe they can convince people to lend liquidity to bridges, myself.
Someone else already commented on this, but doesn't _everybody_ just realize that this is way too complicated and error prone? Signigning a token (whatever that means, I never saw so much nonsensical jargon in my life) gives a random person possible access over _all_ of your money??!! And this _by design_ can't be audited by a central authority that guarantees against scams.
If I had to read the source code of all my wire transfers, I'd probably just barter my services for some milk and bread, it definitely seems smarter.
Imagine Bill Gates stored all his money in cash in a room in his house.
That's probably more secure than crypto, where click of a button can siphon it all away. At least with physical money you have to be able to carry it, and physically present to steal.
I'm sure there are strategies like using multiple wallets etc, but overall it will never be mainstream if you put the onus of security on the individual. Literally just typo-ing an address can disappear all of your money.
A couple of things shook me about this - firstly I guess is the amount that was up for stealing - 100M just "sitting there" seems crazy - how many other multi-multi millionaires have their wealth just sitting in one bank account?
Second scam is the wrong word. A confidence scam originally mean the mark had to bring a suitcase of cash to give confidence to the scammers that he had the means to join their get-rich scheme - and of course he would walk away with a suitcase of old newspapers.
But this is almost a new kind of crime - he did not present or move his money, he did not give away any keys. it is the very mechanism of money transmission that is the issue.
SWIFT is rarely seen as part of crimes - but crypto is pointing towards a new world. Imagine "permissioned blockchains" ie Bank Of England coins, this would still be a real viable scam. Proving you did not mean for people to take your 100M and rapidly move it would be a slow process. Stop orders would be a common place activity, potentially holding up long chains of transactions.
Even without permission-less crypto the move to a digital native currency is a long process
By virtue of converting the ETH to AAVE wrapped ETH, they're earning interest by loaning out the underlying ETH. Who is taking out loans and paying interest for ETH I have no idea.
Plus, even without the AAVE wETH, they expect ETHs value to accrue faster than any other asset, so there's no cost to letting the money just sit, as opposed to your USD in savings depreciating over time.
[+] [-] chrisco255|4 years ago|reply
Thomas's wallet is public and advertised on Twitter via his ENS domain. He had $100M+ in aETH, a derivative token provided by Aave when you lend out your assets for interest. The aETH is redeemable for the underlying asset.
The scammers created a fake NFT project associated with space and drones, and proceeded to give Thomas a free one, but asked that he stake it (or deposit it into a smart contract), to earn yield in the form of Armstrong ETH, a token they made up that had the same acronym as Aave's (aETH).
The catch was that when he went to stake his NFT, they asked for an approval for spending aETH from his wallet. Approvals such as this are normal when interacting with smart contracts, since the contract has to be "delegated" responsibility over the tokens in order to move them. However, what wasn't normal is that the approval was actually for Aave ETH.
If he had only looked at the front end of the scam site, it wasn't obvious what was going on. However, a quick glance at Etherscan revealed that he had signed off on an unlimited spend approval for Aave ETH.
Luckily, he had done so on a fresh wallet and not his main wallet that has $100M in aETH. When the scammers tried to get him to stake a second NFT from his main account, he got suspicious and discovered the truth.
This scam was specifically targeted at Thomas, and orchestrated over multiple weeks, for the specific assets in his primary wallet.
Couple takeaways:
- divide your assets across multiple wallets. New wallets are free. Don't put all your eggs in one basket.
- use a hardware wallet or an audited battle tested smart contract such as Gnosis Safe for storing significant sums of money.
- always verify your transactions
- avoid associating your public identity with your main wallet / vault address
- be careful, scammers are getting more creative and advanced in technique including standing up professional front end websites to give the appearance of legitimacy
[+] [-] dimgl|4 years ago|reply
[+] [-] ricardobeat|4 years ago|reply
No mention of the person or the Arrow company on the internet previous to this episode seems to exist. Other than looking at the chain records, how should we believe that any of these stories are true?
[+] [-] inopinatus|4 years ago|reply
- People don't read what's in front of them.
I've seen this emerge in a vast array of fields. No matter how much we highlight specific details, for all our efforts in red-flagging irreversible actions, folks will often blitz past a confirmation dialog, nag screen, or notification message, without internalising the details or the risks. For those in financial technology, as in this specific example, irreversible actions also extend the attack surface for fraud.
Even the brightest minds can be lazy (some might even say it's a feature, not a bug) and one should never rely upon the opposite. We consequently face a design choice, for all irreversible (or hard-to-reverse) actions, the most common options being:
a) allow a grace period;
b) redesign, if possible, to make it user-reversible;
c) build a forcing function for diligence[1]; or
d) expect support tickets about that feature.
The default is (d), and the helpdesk won't thank us, since the workload generally scales linearly with growth at a high opportunity cost.
[1] e.g. https://en.wikipedia.org/wiki/Two-man_rule
[+] [-] MereInterest|4 years ago|reply
[+] [-] mynameisash|4 years ago|reply
I'm a reasonably technical dude (senior data engineer at GAMMA/FAANG/whatever we're deciding to use nowadays), yet I don't have a damn clue what this means. And that's not an indictment of your communication. How on earth could I expect my wife, my brother, my parents, my kids, any of my friends, etc., to understand this?
On the other hand, all these people understand the concepts of bank accounts, credit cards, fiat currency, etc.
I'm open to learning more and having my views changed, but I'm so far convinced that there's absolutely nothing about crypto that is a simple, reliable, demonstrably real solution to a problem that isn't already handled by our current financial instruments.
[+] [-] sillysaurusx|4 years ago|reply
I’m interested to know whether the con artists could have realistically nabbed $100M, or if there was effectively never any chance of that due to other precautions. I would hope it’s the latter, but crypto’s strangeness stopped surprising me.
Fabulous comment, by the way. Easily one of the top ten in the last month. Thank you for the breakdown.
[+] [-] dom96|4 years ago|reply
[+] [-] secondcoming|4 years ago|reply
But I'm not worth $100m so I guess the joke's on me.
[+] [-] xwdv|4 years ago|reply
Hell, given my distaste for crypto, if I were more unethical I may even attempt such scams, but I’d balance it out by donating the stolen money to environmental initiatives to combat global warming (after giving myself some fair compensation, I don’t have the skills to get away with hiding $100+ million).
[+] [-] djakaitis|4 years ago|reply
[+] [-] zby|4 years ago|reply
[+] [-] bryans|4 years ago|reply
It seems like this is becoming the minimum standard for scam operations. For example, there is currently a BTC phishing scam going around that tries to convince the user they've accidentally received an email meant for someone else, which just happens to include a link to a million dollars worth of BTC. The website looks legitimate, albeit amateurish, to the point that it could even be convincing to another web developer. The rest of it is much like the OP's scam.
It starts with an email from the hacked account of a real bank manager in an Italian town, and is addressed to a real self-proclaimed stock market "guru" from the UK, now living in the US. The email states that 19 BTC has been deposited into an account that was created for them on a site called Coinlux, and they provide the username and password for the account. The Coinlux name was even used by an actual company at one point, so searching for any of the names or details surrounding the scam generates very real and convincing results.
Upon visiting the page, you're presented with a moderately professional-ish looking site that asks which fiat currency you want to use and lets you login. You're then prompted to enter a phone number to "secure the account" which, surprisingly, initiates an actual phone call from a number in the UK using a Twilio-like service. After confirming the verification number, you're allowed to view the account, which has some realistic dummy transactions in the history and other features that make the site somewhat believable (it even has a fake chat system and working account recovery).
After initiating a withdrawal of any amount, it provides a warning that you should make a small test transaction first (of 0.0001/$4), to ensure that you're sending to the correct BTC address -- after all, you wouldn't want to send 19 BTC to the wrong place and lose it all. It takes much longer than a normal transaction (likely because the scammers are manually initiating them), but it does eventually go through, and they've now succeeded in convincing the user that there is real BTC in the account and you can actually withdraw it.
However, if you try to make a larger withdrawal (or a second one at all), you're now presented with an error stating that you're not withdrawing enough, because of a "minimum withdrawal amount" defined when the account was created. This minimum amount happens to be 19.01 BTC, or 0.01 more than is in the actual account currently. So you've successfully withdrawn ~$4, but you have to deposit ~$400 if you want to access the entire 19 BTC.
As if it weren't obvious enough at this point, checking the address[1] which sent the 0.0001 makes the entire scam plain as day. This means that anyone with any amount of tech knowledge is probably not susceptible to the scam, though I do think that certain personality types could get caught up in the excitement of potentially "stealing" a million dollars. On the other side, non-techies will likely fall for this in droves, and the transaction history on that address does show there have already been successful victims -- though this particular person's scam has been massively unsuccessful so far, and they may actually be in the red overall.
[1] https://www.blockchain.com/btc/address/bc1qt80xra3r2df8gvzr0...
[+] [-] SZJX|4 years ago|reply
[+] [-] waffle_maniac|4 years ago|reply
[+] [-] betwixthewires|4 years ago|reply
This shit isn't ready for the mainstream, and some of these architectural decisions are indicative of engineers who are in over their heads (but that's almost all code nowadays, even mine).
They build a mechanism that enables me, at the click of a button, to give away control of my fortune, and they designed the system so that anyone can design whatever interface they like to get you to sign any transaction they like. It's laughable. I'm in disbelief. And this is web3? No thanks, I think I'll stick with bitcoin or whatever, keep it simple. At least I can tell what a bitcoin transaction does without having to learn a programming language.
[+] [-] PragmaticPulp|4 years ago|reply
Well said. This goes hand-in-hand with the victim blaming that goes on in cryptocurrency circles. Any time a story like this appears, defenders come out of the woodwork to insist that it's the victim's fault for doing something or not doing something else. Even the linked Twitter thread is full of replies from people suggesting that the author was "asking for it".
Crypto seems to appeal to people who like to think that they are smarter than the average person and therefore will succeed by self-managing their finances right down to the private keys. Adding smart contracts to the mix basically opens up a can of worms that makes it unrealistic to actually control every detail of your money unless you strictly limit each contract to a separate wallet and only transfer funds into that wallet before activating the contract. That's honestly a good strategy if you're sitting on $100mm+ in cryptocurrency and the transaction fees are negligible (as was the case with the Twitter user). However, when transaction fees are $10/each or more, the average crypto user isn't actually doing anything of the sort. They're clicking the buttons and hoping for the best.
[+] [-] dcolkitt|4 years ago|reply
1) Spend more tokens than the amount you approved. 2) Spend any other tokens besides the specific type that you approved. (E.g. can’t steal your NFT or USDC) 3) Spend tokens at any other wallet address even if you own those other addresses (and creating a new address for a specific purpose is trivially easy)
In addition the only approve() technology is already being replaced with the modern EIP-2612 standard. (USDC already implements it.) In this workflow instead of pre-approving a contract, you sign a specific transaction-specific message. With EIP-2612 you know exactly how much you’re spending on each transaction and there’s zero after the fact risk.
[+] [-] unityByFreedom|4 years ago|reply
Also this guy seems rather green in term of internet scams,
> Scammers are getting smarter. Before now, the best scam I've really encountered is basically "hi this is tech support please share your private key so we can help"
[+] [-] orasis|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] DoctorOW|4 years ago|reply
[+] [-] rkagerer|4 years ago|reply
[+] [-] ikt|4 years ago|reply
[+] [-] kelp|4 years ago|reply
The thing that struck me about it is the scam didn't work for a few reasons:
1. He typically had a practice of not using his main wallet for things like this.
2. He got wary and actually read the smart contracts.
This is a level of technical competence required that's going to mean most people have to offload this to a trusted intermediary. And then what's the point of all the decentralization ideology? Because we just re-invented banks.
[+] [-] charcircuit|4 years ago|reply
There's nothing wrong with centralized services built on a decentralized network. Take a look at the web. Sure you can use a centralized service like facebook to make a facebook page, but if you want you can host your own website.
[+] [-] tylersmith|4 years ago|reply
[+] [-] ttiurani|4 years ago|reply
The real takeaway from this is that it's dangerous to break your moral compass and sense of reality to the point where you think helping out people who are pushing an obviously fraudulent business, is ok and normal.
[+] [-] zucker42|4 years ago|reply
[+] [-] Grustaf|4 years ago|reply
And FWIW I'm not sure "fraudulent" is the right word. NFTs are not a fraud, you usually get what you pay for, a mediocre jpeg, and perhaps a really primitive game.
And to be fair, what are the odds his VTOL company will ever produce anything either?
[+] [-] grp000|4 years ago|reply
[+] [-] jozvolskyef|4 years ago|reply
[+] [-] herodotus|4 years ago|reply
[+] [-] randomhodler84|4 years ago|reply
Scammers ripping off scammers.
Why would you waste time with open source aircrafts. Aircrafts are a regulated thing. Nobody wants to fly in your science project. Put some of that 123 million into starting an actual company. DAOs are bullshit.
[+] [-] tasha0663|4 years ago|reply
The most reasonable conclusion is that the hacker was sent from the future to try to avert the creation of DAO-controlled flying cryptodrones.
[+] [-] ajross|4 years ago|reply
It's just the Trust Problem all over again. Decentralized reliance on automatic software still requires trust that the authors of the software won't scam you. It all comes down to trust. And I trust banks, mostly. Who in their right mind trusts contracts someone sends you on Discord? And yet...
[+] [-] TigeriusKirk|4 years ago|reply
Worth noting, though, that for all the fancy footwork the point of failure for the scam is him being willing to work with his main wallet rather than a one-off, and when he showed hesitation, they got too impatient. Good security practices were still the answer.
[+] [-] CommieBobDole|4 years ago|reply
While NFTs probably have some useful purpose that will emerge eventually, for now you should consider any proposal or offer that involves the term 'NFT' as having about the same value as any offer involving the term 'Nigerian prince'.
[+] [-] cmckn|4 years ago|reply
Just one example, but this entire thread is Greek to me. What the hell is “staking an NFT”? I am feeling so left behind by this crypto nonsense. Is this what getting old is like? (I’m not yet old)
[+] [-] dpeck|4 years ago|reply
Whether that’s cryptocurrency or a sandwich.
[+] [-] muh_gradle|4 years ago|reply
Social engineering is so much easier when you engage in faceless, voiceless communication. This could've been shut down so much more easily if they put a real human being to match the messages. When things actually matter, I need more than just a Discord avatar and a handle to identify someone.
[+] [-] oefrha|4 years ago|reply
[+] [-] vmception|4 years ago|reply
[+] [-] randomhodler84|4 years ago|reply
[+] [-] etamponi|4 years ago|reply
If I had to read the source code of all my wire transfers, I'd probably just barter my services for some milk and bread, it definitely seems smarter.
[+] [-] adam_arthur|4 years ago|reply
That's probably more secure than crypto, where click of a button can siphon it all away. At least with physical money you have to be able to carry it, and physically present to steal.
I'm sure there are strategies like using multiple wallets etc, but overall it will never be mainstream if you put the onus of security on the individual. Literally just typo-ing an address can disappear all of your money.
[+] [-] ryan93|4 years ago|reply
[+] [-] lifeisstillgood|4 years ago|reply
Second scam is the wrong word. A confidence scam originally mean the mark had to bring a suitcase of cash to give confidence to the scammers that he had the means to join their get-rich scheme - and of course he would walk away with a suitcase of old newspapers.
But this is almost a new kind of crime - he did not present or move his money, he did not give away any keys. it is the very mechanism of money transmission that is the issue.
SWIFT is rarely seen as part of crimes - but crypto is pointing towards a new world. Imagine "permissioned blockchains" ie Bank Of England coins, this would still be a real viable scam. Proving you did not mean for people to take your 100M and rapidly move it would be a slow process. Stop orders would be a common place activity, potentially holding up long chains of transactions.
Even without permission-less crypto the move to a digital native currency is a long process
[+] [-] jazzyjackson|4 years ago|reply
By virtue of converting the ETH to AAVE wrapped ETH, they're earning interest by loaning out the underlying ETH. Who is taking out loans and paying interest for ETH I have no idea.
Plus, even without the AAVE wETH, they expect ETHs value to accrue faster than any other asset, so there's no cost to letting the money just sit, as opposed to your USD in savings depreciating over time.
[+] [-] dshpala|4 years ago|reply
Just two lines... Is the idea that tokenToBeApproved.allowance() can do bad things?
Code: https://twitter.com/thomasg_eth/status/1492663290715152384/p...