API/RSS

Social

Buidler DAO: How to save an NFT from hackers after a stolen wallet?

Buidler DAO

23-01-17 13:43

Read this article in 22 Minutes

AI summary

View the summary

原文标题：《 Buidler DAO 文章：如何在钱包被盗后从黑客手里抢救 NFT？》

原文来源： Buidler DAO

As the Federal Reserve continues to raise interest rates and shrink its balance sheet, crypto market liquidity continues to decrease, and market activity continues to be depressed into a bear market.As the only "liquidity" left in the market, we leek wallets have become the target of crooks.The Crypto world is a dark forest. While crypto brings property ownership, it also means that once the property is lost or the private key is leaked, there is almost no legal way or method to recover it.

Why write this article?

Because Spinach had his wallet stolen and his assets nearly stripped,Ironically, as an old chive who wrote popular science articles about wallet safety, he also flipped over.

Although he lost his wallet and internal assets that had accompanied him for a long time, Spinach really felt the warmth of the community after this incident, and got care and help from many "family members". He even rescued nearly 30 NF survivors from the hands of hackers with the help of a friend in the communityT (not the stolen NFT).Although the lost assets can not be recovered, but in this "spinach wallet theft incident", there are many experiences can be popular science, hope that this article can provide the industry with a case of victims and other partners to sound the alarm, to prevent the "tragedy" again.

A quick look at the article:

01/ How was my wallet stolen?

02/ How did the hacker get my private key?

03/ How did I save NFT from hackers?

04/ How to achieve the same block to complete all operations?

05/ What is MEV? How does the MEV affect Ethereum?

06/ Write at the end

How was my wallet stolen?

某天，推特上有一个人私信我，起初我并没有提起警觉，因为骗子的 Twitter 账号看起来像是一个正常用户。开始只是进行了一些闲聊，之后他开始问我是否愿意为 cheelee 这个项目输出内容并支付我报酬，且索要了一些我的作品进行验证，于是我把我的 telegram 给到了他，之后便在 telegram 上给我发了关于如何输出内容的一些细节和两个文件。下载并点击文件后什么都没有发生便意识到不对劲，于是打开小狐狸查看，不出所料，The wallet was stolen, all the assets were stolen, and the NFT was sold directly to offer for ETH transfer.（只能说菠菜想赚点外快大意了，其实陌生人在 tg 上发文件的时候就应该警惕起来的）。

How did the hacker get my private key?

My private key is encrypted in Chrome's Little Fox. How did the hacker get my private key? It all starts with Chrome:Can you imagine? Chrome, which has 66% of the global market, has a huge security flaw.What is this loophole? If you open the Default folder of your Chrome browser in the following image, you will find a file called Login Data, which stores every password you have saved on Chrome, but is unreadable if you try to open it directly. It's a jumble of code,Because this file is encrypted by the AES algorithm, a brute force attack would take forever,So the passwords you save on Chrome are pretty secure, but what's the problem?

If you go further down the directory in User Data you'll find this file called Local State, and if you open it up and search for "encrypted", you'll find that behind it is a bunch of key, what is that key?Is the need to crack hundreds of years to crack Login Data AES algorithm decryption key string!This is fucking crazy open the fucking door! This is fucking crazy! What is this equivalent to?

It's like you make an unbreakable safe deposit code out of the strongest material in the world but you leave the safe key next to the safe, and the thief comes in and opens the safe with the key! Moreover, the key string is generated by the password generation tool of Windows system itself, which is only bound to the generated computer ID, that is to say, encryption and decryption can only be carried out on this computer.Chrome saves the decryption key string locally in plain text, so a hacker can get all my passwords just by decrypting the key string.

MetaMask's password is not stored in Chrome's password file, so why would my private key be compromised?Because my MetaMask uses the same password as my usual password,It was not a matter of minutes before the hacker got the customary password and entered MetaMask, and as a result, my private key was compromised. Not only that, but all Chrome accounts have been compromised, and even Twitter and Google accounts have been frozen.

How did I save NFT from hackers?

After the wallet was stolen, hackers at OpenSea. onSold all the NFT's with offers and moved all the money,Fortunately, a few NFT survived, except for ENS and some NFT that didn't offer, one mint DeBox snake didn't sell, probably because of some bugs in Opensea. This NFT was transferred from my other white single address mint. For some reason it was not displayed, which saved it. So when I tried to transfer gas to my wallet, I found that my wallet was being attacked by a "scavenger", also known as a "gas snatching robot". The Gas bill I transferred in was diverted away in an instant!

What is a Gas robbing robot? That is, once you transfer Gas to the wallet, the robot will detect and transfer the gas immediately. This kind of robot is usually active in the wallet with the compromised private key. This robot is also active in a kind of private key disclosure scam, that is, the scammer will intentionally disclose the wallet private key with U in the wallet, but this U is blocked by the contract and cannot be transferred. The scammer is targeting the Gas you attempt to transfer into the wallet. The picture below is a case (on the Tron chain). If you're interested, you can go inside, but don't put Gas in it.

After my wallet was targeted by the gas robbing robot, it means that I can't transfer my surviving NFT, because I can't transfer gas in my wallet to pay for the operation of transferring NFT. Does it mean that my NFT will be trapped in my wallet forever? In the midst of this crisis, the power of community came to the fore,A member of the Buidler DAO community stepped up to help me get the surviving NFT back from the gas robot!

There is true love in the world!

So how did this guy do it?

First let's see how quickly it takes to manually transfer my NFT in front of the Gas grab robot. In the blockchain browser you can see that when I go to the gas fee (block height 16387987), The gas grab robot transfers all the gas away after three blocks (block height 16387990). In the POS proof of interest mechanism after the merger of Ethereum, the block production time of a block is fixed at 12 seconds per block. Does this mean that I can outrank the robot by doing it in the first two blocks (24 seconds)? It would be naive to think that, if it were so slow, it would be embarrassing to call it a robot.

In Ethereum,The processing speed of a transaction depends on how much you pay for GasIf you want the transaction to be processed faster, you will have to pay more Gas. The average price of Gas will change with the amount of Ethereum transaction demand. If you calculate the normal Gas price,It takes about 30 seconds to process a transaction, which means that if I want to rescue the NFT before the Gas robot takes the Gas, I need to finish my operation within 36-30=6 seconds, which is almost impossible to complete.Even if I transfer the NFT as soon as I see the Gas arriving in the account, the time for Metamask to pop up the interface is almost 6 seconds, so how can I transfer the NFT before the Gas robot transfers the Gas?

The answer is to transfer Gas to the wallet and transfer NFT to the wallet in the same block, so that the robot cannot take Gas away, because the robot needs to constantly monitor the blockchain browser to check whether there is Gas transferred to the wallet. If all operations are completed in a block, even if the robot detects the block, I have also diverted the NFT away and no extra Gas is left for the robot to divert.

How to achieve the same block to complete all operations?

This requires the use of Flashbots' searcher-sponsored tx feature, which is mostly used to expose wallets monitored by bots with private keys.

Technical friends can directly in the Github Check out:https://github.com/flashbots/searcher-sponsored-tx

This feature of Flashbots allows one wallet to transfer Gas to another wallet with a concurrent transaction, that is, the same block to complete all operations. In the blockchain browser, you can see that the transfer to Gas and the call contract are both completed in the block 16388251.

What are Flashbots, by the way? Flashbots is a group of blockchain-focused researchers, Buidlers, and white hats working to mitigate the maximum extractable value (MEV, Maximal Extractable Value) negative externality for stateful blockchains (e.g. Ethereum).

What is MEV? What impact does the MEV have on Ethereum?

Maximum extractable value (MEV) is the maximum amount that can be extracted from block production in excess of standard block incentives and fuel expenses by adding and excluding transactions in a block and changing the order of transactions in a block.How do you understand that? For example, the first thing to know is that after a transaction is initiated in Ethereum, it is placed in mempool (a pool that holds transactions to be executed) to be packaged by miners,Then the miner can see all the transactions in mempool, and the miner's power is very large. The miner controls the inclusion, exclusion and order of the transactions.If someone profits by bribing miners to adjust the order of trades in a trading pool by paying more for Gas, this is a maximum extractable value MEV.

You may wonder how miners can profit by changing the order of trade?

One MEV technique is called "sandwich attack" or "clip attack". This MEV is extracted by monitoring large DEX transactions on the chain. For example, someone wants to buy $1 million worth of Altcoins on Uniswap.This transaction pushes up the price of the altcoin so much that the monitoring robot can detect the transaction when it is placed in mempool. The robot then bribes the miner packaging the block to put a purchase of the altcoin in front of him, This person's purchase is followed by a sell, which acts like a sandwich sandwiched between the person making the large DEX transaction,In this way, the person behind the sandwich attack gets the altcoins because the person who trades large amounts of money makes a profit, while the person who trades large amounts loses money.

In addition, the means of obtaining MEVs include DEX arbitrage, clearing robots and so on. The existence of MEVs has also brought some negative impacts to Ethereum, such as the loss and worse user experience caused by "sandwich attack", network congestion and high Gas fee caused by the competition of front-runner, etc. It even threatens the integrity of blockchain to some extent. As of January 2023, MEVs have generated $680 million in profits.

Data sources: data source: https://explore.flashbots.net/

The appearance of Flashbots illuminated the dark forest of MEV. Flashbots did a lot of research on MEV and developed some products to reduce the negative impact of MEV on Ethereum to a certain extent. Although Flashbots could not solve the problems brought by MEV, However, in Ethereum's new sharding scheme, Danksharding, Ethereum proposes a new mechanism to solve the MEV problem (a preview of what I'll be writing about in my next post). If you're interested in Flashbots and MeVs, check out the following links.

Ethereum official introduction to the MEV

https://ethereum.org/zh/developers/docs/mev/#mev-extraction-flashbots

The official website of Flashbots

https://www.flashbots.net/

Any final comments?

Wallet stolen to see all the crypto assets and favorite NFT after the heart is very uncomfortable, the body's favorite DeBox family is gone. I would like to thank my friends in the community for accompanying me and giving me advice. Even after rescuing the NFT, the project side of DeBox airdropped an NFT to spinach as a comfort. DeBox is really a warm team and makes crazy calls.

I can't be careless about wallet security, and I never thought I'd be one of those people before.As the article approached press time, I saw that a KOL NFT GOD's wallet had also been hacked and lost all its assets, and all its social accounts had been leaked and used to send fraudulent messages. The reason was that the fake software in the Google AD link was downloaded, similar to the fake TP wallet scam. So,Never download anything from someone you don't know, and always check to make sure it's official when you download any software.

In addition, crypto assets must not be put in the hot wallet, assets in the cold wallet must be the most secure, Metamask password is also better not to use the custom password, because the Metamask plug-in on Chrome is not absolutely safe, must be to learn the relevant knowledge of wallet security.