Would be curious what @aman @scharf think happened with the Kevin Rose hack?

making data useful with AI. Previously built @stelo to keep you safe from phishing 
benscharfstein.twitter
https://nf.td/ben

co-founder stelo.com. theoretical cs phd dropout. into math, music, ml, macro, markets, surfing, writing amandhesi.net

Would be curious what @aman @scharf think happened with the Kevin Rose hack?

https://twitter.com/0xquit/status/1618335012176400384?s=46&t=EDpYmItVCL0dWiilP6A4TA

It was a seaport bulk listing attack - Kevin signed a gasless signature that sold all his NFTs for 0ETH to the attacker. The attacker then submitted the signature to the Seaport contract and that executed the "sale". We're in the process of recreating the original signature and writing a post-mortem

This is the transaction that executed the signature https://etherscan.io/tx/0x4ae899024f8bfcb3448364dc603db2e6ed4eab7b3a8649176230d7e33e644d44

BD at Circle - building a Dollar API for the internet 💵

Former founder and operator at Snap
  
sterling_twit.twitter

T.me/sterlingba 

Those are generally done via the personal_sign method which is entirely harmless. The problem is it's not so easy to differentiate what's personal_sign and what's a malicious signature. That's why I never sign anything without first running it through @stelo

yeah similar question - how is this different than signing a txn to prove ownership for premint, tokenproof, collabland, etc. ?

or is it not and that's the terrifying bit?

Naive question: is this a gasless signature as well?

Feels like thinking that since there's no transaction confirmation it's OK to sign? https://i.imgur.com/tAgs4hY.png

Yeah this is a gasless signature that's using the "personal_sign" RPC method. This method is harmless because it cant be used to sign structured JSON messages.

Still I would recommend installing @stelo because it's currently too easy to confuse harmful signatures for harmless ones.