NFT Risks and Scams

NFT Risks and Scams: What to Watch and How to Defend

From fake mints to approval drainers, signature tricks, and metadata rugs, here is a practical, user-level defense guide with concrete checks and recovery steps.

TL;DR: Most losses begin with social engineering. Drainers either (1) make you grant
setApprovalForAll to their operator, or (2) trick you into signing a permit/sale that lets them move your NFTs.
Use a daily wallet for minting and claims, keep grails in a hardware vault, bookmark official sites, simulate transactions,
and revoke old approvals regularly. Prefer collections that use immutable or decentralized metadata when permanence matters.

1) Fake Mints and Airdrops

Attackers rely on urgency, FOMO, and “official-looking” design. The usual pattern: a tweet or Discord ping announces a surprise mint or claim.
You click, connect your wallet, and a site prompts you to approve an operator or sign something that is not a simple mint.
Airdropped spam NFTs often include links that lead to the same trap.

  • Bookmark discipline: navigate only via your own bookmarks or links you typed, never from DMs or replies.
  • Contract verification: cross-check the mint contract on an explorer; legit mints typically have verified source and recognizable deployers.
  • Supply and timing sanity: does the claimed supply, price, and timeline match official announcements across multiple channels?
  • On-chain history: a brand-new contract and brand-new operator with no prior activity is a red flag.

2) Approval Drainers and Signature Traps

Two families of theft dominate NFT scams:

  1. Operator approvals: you call setApprovalForAll(attacker, true), granting a malicious operator the right to transfer all
    your NFTs of that contract. Minutes later, they sweep the wallet.
  2. Permits and listings: a typed-data signature grants permission to transfer or lists items at a low price. With ERC-721 permits (EIP-4494) and
    marketplace orders, a single signature can be enough to move or sell an NFT if you do not verify what you are signing.
// NFT approval risk (conceptual)
setApprovalForAll(attacker, true); // grants transfer rights for ALL NFTs of that contract

// Revoking later (same interface)
setApprovalForAll(attacker, false); // remove operator rights
  • Human-readable prompts: prefer wallets that render EIP-712 typed data cleanly (collection name, tokenIds, price, expiration, chainId).
  • Domain and chain binding: for typed data, look for domain.name, domain.verifyingContract, and domain.chainId.
    If any are wrong or missing, cancel.
  • Finite approvals: when a marketplace supports item-specific approvals, prefer those over blanket setApprovalForAll.
  • Revoke routinely: if you no longer use a marketplace, revoke its operator rights.

3) Metadata Rugs, Storage, and “Frozen” Art

Metadata defines what your NFT is: name, attributes, and the image or animation URL. If metadata lives on a centralized server, creators can
change it after mint  sometimes innocently (reveals), sometimes maliciously (rugs). Collections that advertise immutability should either store JSON and media
on decentralized storage or encode assets on-chain for permanence.

  • Content addressing: prefer ipfs:// or ar:// URIs over https:// links to a private server.
  • Pinning and redundancy: even on IPFS, ensure your content is pinned by multiple providers to avoid “missing file” issues.
  • Freeze signals: some platforms expose a “frozen metadata” flag; treat it as a hint, not absolute truth. Verify that the tokenURI points to immutable content.
  • On-chain art: collections that store SVG or data on-chain remove third-party storage risk, at higher gas cost.

4) Market Manipulation and Wash Trading

Thin liquidity and fragmented markets make NFTs easy to game. Wash traders inflate volume, spoof floors, and bait bids. Your best defense is skepticism and cross-checks.

  • Look at unique buyers and holding time: a surge in sales with the same few wallets or rapid round-trips suggests wash trading.
  • Depth, not just floor: shallow order books mean a tiny buy can move displayed floors, check distribution of listings around the floor, not only the lowest ask.
  • Cross-venue consistency: verify activity across multiple marketplaces and on-chain analytics, not a single dashboard.
  • Trait premium sanity: drastic premium swings on common traits are suspicious during hype windows.

5) Social and Platform-Level Attacks

  • Support impersonation: “We can help recover your NFTs, start by sharing your seed”  legitimate support will never ask for seed phrases or private keys.
  • Malicious browser extensions and clones: fake wallet extensions intercept signatures or swap receiving addresses. Install from official stores and verify publisher.
  • Air-gap bypass via QR: QR-based signing apps can still sign dangerous payloads. Read prompts carefully and verify typed data before approving.
  • Delegate confusion: tools that delegate rights (for example, listing or airdrop claim delegates) are powerful,  double-check what permission you are granting and to whom.

6) User Defense Playbook (Step by Step)

  1. Segment wallets: keep a daily wallet with minimal funds for minting and experiments, and a vault wallet on hardware for long-term holds. Do not connect the vault to random sites.
  2. Bookmark first: mint and manage only from bookmarked official sites. If a link arrives via DM or airdropped NFT, ignore it.
  3. Simulate transactions: use wallet simulators or testnets where available. At minimum, read the function name, contract, and parameters in the confirmation prompt.
  4. Prefer finite permissions: approve only what you need (item-specific approvals or time-limited listings). Avoid blanket approvals to unfamiliar operators.
  5. Review and revoke: periodically review operator approvals and revoke stale ones with a trusted manager.
  6. Cold sign with care: hardware wallets protect keys, not judgement. If the prompt looks wrong, cancel. Check domain.name, chainId, verifyingContract, price, tokenIds, and expiration.
  7. Store backups offline: seed phrases and recovery shards belong on paper or steel in separate locations — never in cloud notes or screenshots.

7) Incident Response: If Something Goes Wrong

Speed matters. Here is a concise runbook:

  1. Disconnect and revoke: immediately revoke suspicious operators for affected collections. If you cannot sign safely, move remaining assets to a fresh vault first.
  2. Rotate hot wallets: assume a compromised device or extension; move to a clean device and new wallet for future activity.
  3. Alert marketplaces and communities: some platforms can flag assets, block obvious resale, or assist with tracing.
  4. Preserve evidence: copy transaction hashes, contract addresses, and site URLs. This helps analytics and, if you choose, law-enforcement reports.
  5. Harden for next time: audit your bookmarks, uninstall unused extensions, and tighten approval routines.

Quick check

  1. Why are airdropped NFT links risky?
  2. What does setApprovalForAll allow, and why is it dangerous?
  3. Name two indicators of market manipulation in an NFT collection.
  4. How can decentralized storage reduce metadata rug risk?
Show answers
  • They often lead to phishing pages that request dangerous approvals or signatures.
  • It grants an operator permission to transfer all your NFTs of that contract; a malicious operator can sweep your assets.
  • Concentrated trading among a few wallets and rapid buy-sell round-trips; inconsistent floors across venues and thin depth near the floor.
  • By using content-addressed URIs (for example, ipfs://) and pinning, creators cannot silently swap files on a private server.

Go deeper

  • EIP-721 | EIP-1155
  • Revoke.cash — Approval Manager
  • IPFS Docs
  • Concepts: EIP-712 typed data, EIP-4494 permits for ERC-721, operator approvals versus item approvals, on-chain art versus pinned assets
  • Ops: wallet segmentation, extension hygiene, transaction simulation, approval review cadences

Further lectures

  • Reading wallet prompts like a pro: dissecting EIP-712 domains and payloads; spotting dangerous fields.
  • Storage deep dive: IPFS pinning strategies, Arweave permanence trade-offs, and verifiable media integrity.
  • Marketplace security: item-specific approvals, listing expirations, and safe cancellation patterns.
  • Team playbooks: multisig vaults for grails, delegated claimers, and incident drills.
  • Threat modeling NFTs: adversary tactics, common kill chains, and automated monitoring alerts to catch risk early.