Tl;dr: Recently, PREMINT, an NFT platform used by artists and collectors, was hacked and some of its users lost their NFTs. The total loss is estimated to be in hundreds of thousands of USD. In this blog we briefly describe what happened, highlight some core security issues illuminated by this incident, and, most importantly, show how ZenGo’s ClearSign tech protects PREMINT’s users against such attacks.
What happened?
Attackers were able to abuse a vulnerability in PREMINT’s code (allegedly a software supply chain issue, but the exact technical nature of the vulnerability is immaterial) to inject malicious code into PREMINT’s dapp web interface. This malicious code suggested users sign a rogue transaction (“Set Approval For All”). For the users tricked into signing this message, the attackers gained control of all of their NFT assets in a specific NFT collection (e.g. all of their Bored Apes).
The PREMINT website as seen during the attack (source: Twitter.com/kbruh_eth)
Once the attackers gained access to such NFTs, they quickly sold them on NFT marketplaces. The received funds were laundered using mixing services, such as Tornado.cash.
During the attack, the PREMINT team communicated with their users over social media, reminding them that PREMINT will only ask for offline signatures required to verify a user’s identity, but never for an on-chain transaction.
PREMINT’s message to their users (source: https://twitter.com/PREMINT_NFT)
However, this kind of messaging on social media is of course very limited. Not all users will read this message, and also some of them will not get this distinction, or forget about it when actually presented with the rogue transaction.
PREMINT would have probably preferred to prevent such unintended transactions on their website. In security, this sort of procedure is called “hardening”. With hardening, you remove everything that is not actually used by your application, so it cannot be abused. Sadly, there is no current option for a website to specify which Web3 actions it supports or not, in order to harden it. Therefore, with no way to harden their website and enforce this policy. As a result, PREMINT had to resort to the aforementioned informational-only route.
🛡 ZenGo’s ClearSign to the rescue!
We recently launched our ZenGo ClearSign technology to protect users and their crypto assets in Web3. ClearSign is an advanced Web3 Firewall solution that includes various types of protections, to guard against different types of attacks.
ClearSign: An advanced Web3 Firewall solution
An important type of protection is the ability to harden an app’s web2 interface. ZenGo allows dapp owners to define what can be done in their apps and also what cannot be done. As a result, people using the ZenGo wallet can get assurance they are interacting with legitimate dapp functionality by following the ClearSign logo and explanations.
Additionally, ClearSign blocks all unintended messages from a dapp it is engaging with. This means that if a dapp attempts to initiate an illegitimate functionality, e.g. requesting to “approve all” on PREMINT, then the request will be BLOCKED entirely, and not show up to confirm at all!
ClearSign provides reassurance & clarity to users
Currently there is no standard way for dapps to inform wallets of such hardening information that specifies what is expected and not expected from the dapp. Therefore, for this ClearSign functionality, we need dapp cooperation to get the relevant information. (Other ClearSign features work automatically out of the box, without such integration.)
Once we were informed via social media of PREMINT’s hardening information, we have quickly applied it to immediately protect ZenGo users on PREMINT’s dapp. Users were protected immediately and no user interaction was required to download or apply anything on ZenGo wallet.
Watch ClearSign block the rogue “Approve All” request from PREMINT via ZenGo wallet
Recommendations
For users: Web3 attacks are very real. To protect against such attacks, use a wallet that takes security seriously and makes it its priority, like ZenGo. That’s why we added the ClearSign Web3 Firewall on top of our institutional grade MPC key management system, along with other security features. (read more here)
For dapp owners and developers: Your users are already better protected with ZenGo wallet and its ClearSign Firewall solution. Now we enable you to protect your users even better with hardening. Hardening (blocking functionality you do not use, as explained above) is a powerful security measure and ZenGo is the first wallet that allows you to apply it in Web3 context.
We would love to get your use-case and apply it in ZenGo to provide your dapp users with the best possible protection. Email us at [email protected].
