Are NFT scams dead and gone? Never. The entire NFT space could turn to ashes and you’d still see scams crawling from the burnt ground. To be fair, hacks and theft are everywhere not just in web3. But lately, it seems like all we hear about is people losing money. In hopes of fighting that, we want to ensure you’re always in the loop of how the creeps conduct their shady business. When you’re aware, you can protect yourself. Here, we’re covering a currently adopted Blur scam based on Pocket Universe’s thread.
What’s the Blur Scam About?
If you want to use most NFT marketplaces, you must connect your wallet like MetaMask. Then, if there’s anything else you want to do, you have to sign to authorize the transaction. For example, in order to list or trade your NFTs, you need to digitally sign a message.
Why Do We Sign After Connecting Our Wallets?
If I’m connecting my wallet, why do I have to sign? Basically, connecting your wallet is like entering your phone number into a website. The thing is you can simply put in anyone’s number. This is why websites usually send you a text message to verify that the phone number is actually yours.
It’s the same thing with wallets and signing. You connect your wallet. Then, you sign the message to verify that the public address is connected to the private key. Meaning, to verify you are the owner of this wallet.
It is supposed to be a safety measure. So, how is it involved in the Blur scam?
Blur Scam Consists of Faking The Signature
It definitely is yet another step to ensure you’re the owner of the wallet. But, the thing is with your signature you also accept to give access to your wallet. That’s when the blur scam comes into play.
The drainer website makes you sign a listing that sells your NFTs for 0 ETH in return. So, you’d be accepting to sell all your NFTs for free with just one signature.
Why is it on Blur specifically? Because the signature you get from Blur for bulk listing is unreadable because Blur uses hashed messages. You have no idea what you’re signing. You’re on Blur so you assume it’s safe. But, nothing is ever safe here.
Pocket Universe Saving You From The Blur Scam
Pocket Universe posted a thread on Twitter to raise awareness about this blur scam. Furthermore, it updated its extension to provide extra security for its users.
What’s Pocket Universe?
Pocket Universe is a free browser extension aiming to keep your assets safe when you sign web3 transactions. A lot can go wrong when you’re connecting your wallet to a site, or when signing. Therefore, PU steps in to give you that extra blanket of protection.
Here are some examples of scams they detect:
- Faulty Seaport transactions (saves you from singing to sell your NFTs for free)
- Honeypot NFTs (keeps you from buying NFTs or tokens you can’t sell)
- Counterfeit tokens (makes sure you’re receiving NFTs and tokens from legit websites and transactions)
- Blur scam (saves you from signing to a faulty website)
How Does Pocket Universe Protect You From The Blur Scam?
Pocket Universe knew a case where 5 ETH were stolen because of this blur scam. So, they added a security measure to flag Blur signatures that don’t come from the official Blur website. If you’re connecting to a fishy website, you’ll get notified.
The below picture shows you an example of when the PU extension is on vs when it’s off on Blur.
Conclusion
So, the Blur scam consists of making you sign a transaction that sells your NFTs for free. We don’t want that. Using extensions like Pocket Universe helps you stay safe in this space. But, with extension or not, always understand what you’re signing and where. Mock-up websites are everywhere so double, or even triple-check the websites you’re on. This makes us wonder, is web3 really secure?