Would be curious what @aman @scharf think happened with the Kevin Rose hack?

making data useful with AI. Previously built @stelo to keep you safe from phishing 
benscharfstein.twitter
https://nf.td/ben

co-founder stelo.com. theoretical cs phd dropout. into math, music, ml, macro, markets, surfing, writing amandhesi.net

Would be curious what @aman @scharf think happened with the Kevin Rose hack?

https://twitter.com/0xquit/status/1618335012176400384?s=46&t=EDpYmItVCL0dWiilP6A4TA

It was a seaport bulk listing attack - Kevin signed a gasless signature that sold all his NFTs for 0ETH to the attacker. The attacker then submitted the signature to the Seaport contract and that executed the "sale". We're in the process of recreating the original signature and writing a post-mortem

Naive question: is this a gasless signature as well?

Feels like thinking that since there's no transaction confirmation it's OK to sign? https://i.imgur.com/tAgs4hY.png

Yeah, this is a big problem. Can also happen with meta-transactions where the user just signs an off-chain sig for “gasless”

Stelo keeps your NFTs safe from phishing. Download @ stelolabs.com

Yeah this is a gasless signature that's using the "personal_sign" RPC method. This method is harmless because it cant be used to sign structured JSON messages.

Still I would recommend installing @stelo because it's currently too easy to confuse harmful signatures for harmless ones.