You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
@TheOnlyNom<br />
Rescuing a Lost Monke: Post-mortem on getting a wallet drained and losing my PFP.<br />
First off this thread is not a call for donations. I have funds to recover what is lost and while I appreciate<br />
the love, your money would be better served helping other people!<br />
Secondly: This thread is not a condemnation of any teams or parties involved. Shit happens, I signed<br />
a transaction, we’re dealing with the aftermath. Please read through this, and keep your pitchforks<br />
stowed. It’s tokens and Jpegs, we will make it work<br />
Third: System Specifications Hardware: Asus Laptop - 2020 era OS: Windows 10 Browser: Brave<br />
Extension: Phantom Security: Ledger Nano X - Updated July 2022 Wallet address: 4ZjYSCH3Sib9iMS-<br />
M3QN2sL2kwxNcXG2P4XCemSC2hsyb (Nom.sol) Assets compromised- Roughly 500 SOL - NFTs+Tokens<br />
Fourth: I am not naming the project that involved this, nor any suspected parties involved. The investigation<br />
and audit from the team that this seems to have occurred with is ongoing, and I’m not looking to<br />
jeopardize them and their work. I appreciate them for their response<br />
Main Security <strong>Issue</strong>s: Signing a simulated transaction - Didn't match final execution Staking multiple<br />
NFTs on a wallet with other valuables - Unnecessary Risk Comfort - The Main problem I have spent 4.5<br />
years without a major hack or loss. I got lazy and sloppy, That’s the issue<br />
I spent the day traveling to Solana to organize events. Got to my Hotel, connected through a VPN,<br />
caught up on messages, and went to perform a couple actions with my previously secured wallets.<br />
I attempted to sign a transaction which failed. I then signed a second transaction which included the<br />
method “signAllTransactions”, which you can read below https://docs.phantom.app/integrating/deeplinks-ios-and-android/provider-methods/signalltransactions…<br />
| In this signAll, included SetAuthority<br />
transactions for every account in my wallet<br />
For anyone unfamiliar, what this essentially does is transfer the ownership of a specific token or NFT<br />
from myself “4ZjY”, to a different wallet “Good” This doesn't move the NFT, but is like giving someone<br />
your car keys and registration.<br />
This instruction is explicitly warned about in Solana documentation, and is usually not present in staking<br />
platforms. It's potentially very harmful, especially when not understood by the end user. In this case, I<br />
made a mistake to sign this transaction.<br />
This transaction or series of transactions attempted this for every single NFT and token account inside<br />
of 4ZjY, causing some successful transactions, and some failures. Why failures? Some of these update<br />
calls were to staked NFT (in this case Famous Foxes)<br />
When the transaction attempted to update a staked NFT, it received a failure and moved onto the next<br />
Why did these transactions go through automatically and not require ledger approval? At this point I’m<br />
not sure.<br />
I noticed this shortly after other wallet activities, and looked into it. I contacted several developers and<br />
reached out directly to the team that I had staked with, assuming the most recent transactions would be<br />
80<br />
<strong>SHILL</strong> <strong>Issue</strong> #<strong>67</strong>