How a free airdrop stole all my crypto

This is a cautionary tale about free unsolicited (and even solicited) airdrops and how they can be used as a scam tactic to wipe your wallet clean of funds.

If at any point you have looked up your wallet address on one of the many network scans (polygon scan, bscscan, etherscan) you might have seen some strange tokens appear in your wallet. (much like the image below).
coins.PNG

And if you are as naive as I was when this happened to me, and possibly may have been signing up wholesale to airdrops left right and center, you might have thought that some of them had come thru, or that you got lucky and ended up becoming part of some random aidrop.

In some circumstances you might look up those coins on coingecko, or coinmarket cap, and realize that you've stumbled upon thousands of dollars! Maybe these coins were worthless when you got them and have now pumped!

The first instict, of course would be to (as quickly as possible, incase the value tanks) figure out where and how you can sell these tokens. If you are on your binance wallet, pancakeswap might be your first destination. If you are able to get any of these tokens to show up on pancakeswap you'll find that you're not able to convert them.

Further googling might take you to the project website, where an interface, that looks a lot like pancakeswap's WILL let you convert your tokens.

You quickly input the details. Your wallet (metamask or otherwise), asks you to sign/authorize that this project/site can transact on your behalf. Without thinking too much, you quickly aprove it. After all we've done this many times before on any website that we have wanted to convert currency in. What could go wrong right?...

WRONG

This is where scammers get you. In clicking that approval, what you've done is actually authorized a project to transact on your behalf. A legitimate project will use that authority to allow you to deposit one token in exchange for another. But a malicious project will use that authority to pull out everything it can like a possessed vacuum cleaner that has found itself in a dust ridden room and realized that its entrance into heaven is based on the amount of dust it has consumed in a lifetime, and it has five minutes left to live. In other words, pretty damn quickly.

This is what happened to me. Despite considering myself a relatively skeptical and careful citizen of the world wide web, I was bamboozled by one of these projects. Despite being skeptical, like many, I did not really pay attention to the prompts I was getting from metamask whenever I was transacting on the cryptoweb. In my mind, as long as I did not send any money to these projects I was in the clear. Little did I know, that I was in fact giving them the authority to pull out all the precious cake from my wallet. What's more the incident was not just limited to the one time I "authorized" my wallet. They kept pulling out cake every time I deposited it into my metamask. This left me angry and frustrated as I thought my wallet was compromised and i'd have to replace /exchange it for a new one, which meant i'd have to transfer everything over, and this was at a time when even small transaction fees were painful.

Not to mention the d'apps that I had associated with my wallet. However not all was lost!

Before we get into how I was able to scrub my wallet clean,
you might be wondering HOW this can happen. Well like myself, i'm sure many of you have heard the term "Smart Contract" and had no idea what this meant. Those prompts that you agree on in metamask, are esentially you agreeing to contracts that will be executed based on the terms. In this particular case, I was agreeing to allowing the project to withdraw CAKE from my wallet at any time, up to an amount of 9999 CAKE.

That's why it's incredibly imperative that before you sign ANY transactions, that you are aware of what the website is asking for. The fact that these websites are asking for these contracts is not the problem. Pancakeswap has similar contracts. But make sure that you TRUST that the website in question will not take advantage of these contracts and wipe you clean.

One thing you can do to help mitigate this (and metamask allows this easily by clicking on the icon on the top right of your metamask allows you to easily and quickly create a new wallet. It's good practice to keep a separate wallet for transactions and so on, so as to keep it quarantined from your main assets incase you come accross a malicious contract.
meta.PNG

This is obviously easier to do on chains other than Ether, as transaction fees are in the cents or tens of cents, and so it is easy to send money back and forth between wallets. With Ethereum however, with a hefty fee in the tens of dollars per transfer, it can be challenging to be ferrying money thru a pass-thru wallet, making it all the reason to be more captious with the wallet you keep your ethereum based assets on.

So how did I scrub my wallet free of the contract that kept stealing my CAKE? I came accross a wonderful website called DeBank. DeBank, not only provides me an awesome dashboard where I can monitor my assets accross chains, but also what I have staked on different swap sites. The most powerful feature however is the contract reviewer. This allows me to review the contracts I have per token and REVOKE/CANCEL any I no longer want to have open.

Having discovered this, I do a monthly sweep of contracts on my wallet, revoking any that I do not use on a regular basis, or are not from swap sites like pancakeswap, uniswap, quickswap, etc. This helps me feel more secure, and prevents me from overlooking any malicious contracts, or contract changes that might put my valuable assets at risk.

Please learn from my experience, and be wary of free airdrops. Scammers are getting more creative these days in trying to steal your money, and it's important ot stay informed and aware.

Posted Using LeoFinance Beta