how does the “click a link, get your wallet emptied” actually work? Like what’s happening there

You click a link, they ask you to sign a transaction to mint something, the signature is actually for transferring your assets out of the wallet. 

Lesson: never authorize to sign transaction unless you trust the requester.

ah ok so you’re still signing something, that makes sense. I thought there was this insane security hole where just opening a link was game over 😰

it‘s actually wild what we‘ve trained users to YOLO mint anything on a website and at the same time that single call can do wildly arbitrary things. Having consumer‘s trust e.g. in Zora would be one way - but in general this is terrible news for web3 discoverability