Theft from Discord and Youtube tutorials, the blockchain scanner for NFTs and much more!

Sept 26, 2022 min read
Theft from Discord and Youtube tutorials, the blockchain scanner for NFTs and much more!

gm 👋

Thank you for being a part of the Cypherock family. Come rain, hail or storm, we are heads-down building the best possible product to keep your digital assets safe.

Over the next 8-10 minutes, we will be talking about hacks that caught our eye, DApps that we found interesting and our picks from Twitter and Reddit that we enjoyed.

If you loved the newsletter, message us! If you hated the newsletter, message us! We’re always looking for fresh perspective on things to cover and feedback to make your experience better!

Have an awesome week ahead!

Team Cypherock

What we’re covering this week

  1. MEV bots and Discord: Two attack vectors to get rekt ☠️
  2. Etherscan, but for NFTs - NFT Scan 🎨
  3. Introduction to Zero Knowledge Proofs 🧠
  4. Discussion on the decentralization of Lido 🔒
  5. Updates from Team Cypherock 🔥

Security Digest

Fake MEV bots and Discord: The security nightmares of this week.

lost_money

Two hot topics this week in the world of crypto scams that have arisen are fake MEV bots that are stealing money from investors, and scammers using Discord to gain access to your account and target the communities that you are a part of. So much is happening that we decided to combine both of these hot topics into one single security digest to keep you updated.

The MEV bot scam begins on Twitter where an influencer will Tweet, and a bot would immediately post a link as a reply in hopes that some poor soul would click it. The link is supported with a piece of text that talks about how a particular trading strategy worked, and how you can make money using the same strategy. Upon clicking the link, you will be directed to an unlisted Youtube page that has instructions to deploy your own frontrunning MEV bot - a frontrunning MEV bot detects when someone is placing an order on Uniswap, buys the token that the individual is trying to buy before the trade is executed, and sell the token to the original buyer at a higher price. The tutorial goes on to explain how one can deploy the same bot and provides code to deploy a smart contract, and deposit ETH. That’s where the magic happens - the second you deposit your ETH and run the contract, your money disappears and probably ends up in some North Korean hacker’s wallet.

Now, let’s talk about how to get rekt with Discord. 0xFantasy’s thread discusses how a project will approach you for a collab, or to test a mint site. They may even share a link to a fairly legit looking website. However, the link will contain random letters, and tend to be exceptionally long. When you click the link and enter the website, a pop-up would ask you to open a console tab and ask you to “eval” something. The image of the fake pop-up is attached below.

unexpected_error

This “eval” statement will then steal your Discord token. So, how did this happen? When you click the link, the Discord website is opened and embedded into the website as an iFrame, and made invisible. The pop-up takes up the entire screen so it is the only thing that you can click on. The code that is run on the website is actually reading data from Discord, and in this case, will read your Discord credentials. Now, the attacker has a way to use your credentials to target the NFT communities that you are a part of.

So, how do you protect yourself from these type of attacks?

  1. If you don’t understand what you’re doing, don’t do it. If you have never before deployed a smart contract, or are unsure of the source of any link, don’t do anything. You can choose to verify with sources that you trust and are technical in the case you do want to proceed.

  2. If you believe your account has been compromised, reset your password immediately. Reseting your password changes the identification token for the service that you are using rendering previously stolen credentials useless.

  3. Constantly educate yourself. Web3 is at the bleeding edge of technology, although there is a lot of good, there is an abnormally larger amount of bad taking advantage of information asymmetry.

Dapp News

Map the NFT ecosystem with NFTScan

nftscan

If you’re tired of looking through marketplaces for statistics on NFTs, boy do we have a solution for you. NFTScan feels a lot like Etherscan, or any traditional blockchain explorer. The only difference here is that, it is designed for NFTs. You can look through NFTs across 8 different chains - Ethereum, Solana, Polygon and BNB for example. NFTScan combines the best aspects of analytics across marketplaces, where you can see the best performing NFTs on a particular blockchain, but can also evaluate the best marketplaces as well.

Additionally, if you are interested in a particular NFT project, you can gain insights such as what the average holding time of the NFT, holder distribution in terms of how many wallets own how many NFTs and overall marketplace distribution which can help understand buyer interest for the particular NFT. Overall, NFTScan is a must use for anyone interested in NFTs.

Twitter Tales

Have you heard of Zero Knowledge Proofs? If not, don’t worry. We have you covered with a quick primer from @varunshenoy_ The thread explores the history of ZKPs, to how they can be used in our daily lives as of today.

Check out the thread here.

Reddit Reads

Currently, 29% of all ETH staked in the beacon chain is being staked through Lido Finance. Considering Lido is such a big player in the validator pool, u/MilesPower explored the questions: how decentralized is Lido?

How decentralized is Lido? from r/CryptoCurrency

Updates from Cypherock

We are really excited to launch new features to Cypherock X1 customers. We will soon be releasing information regarding connect-ability with the DApp ecosystem, on/off-ramp capabilities, UI overhauls and much more. Additionally, stay tuned for updates from our security update. Here’s a sneak peak quote from our auditors:

“The Cypherock X1 has some of the most innovative security measures we’ve seen in hardware wallets. It not only combines several paired and provisioned chips, but also incorporates encrypted NFC based JavaCards with a Shamir’s Split scheme to further protect user’s wallet seed”

Stay tuned for the full update!

Is Your Crypto Safe? Take the Cypherock Quiz and find out!

Is your crypto safe

Will your crypto get hacked? Are you going to lose your crypto? Cypherock has come up with a detailed quiz that will help you understand the pros and cons of your security model. Upon completion, you will get a detailed analysis mailed to you. Take the quiz now!

Here’s some alpha 🚀

Security is our utmost concern. We want to keep your crypto safe and give you the best possible experience interacting with the web3 ecosystem. Because we like you, we want you to make money too!

Cypherock recently launched an affiliate program. You receive a unique code by either signing up on our website, or by purchasing a Cypherock X1. Through your code, your referrals receive 10% off on their purchase and you make $25 per sale!

Sign up to become a Cypherock Affiliate!

Have questions regarding our product, or the affiliate program? Our Growth Lead loves chatting with people, hit him up here.