In September 2022, a regular NFT trader fell victim to one of the newest scams in the Web3 space. The victim agreed to an NFT swap — but was tricked into agreeing to receive a fake token, losing their prized MAYC token in exchange.
The NFT swap order scam is rife, but the key to avoiding it is knowing what to look out for. So in this article, we walk you through the scam, explain exactly how it worked — and show you the red flags that could enable YOU to avoid losing an NFT in the same way.
Defining NFT Swap Order Scam
Peer-to-peer NFT trades are one of the newest options to hit the crypto market — they enable users to make direct swaps between wallets, without using a central protocol. Platforms such as NFTTrader and Sudoswap enable NFT swaps in a secure way via something called a swap order.
A swap order is a customized trade that can be created by anyone looking to swap an NFT. By signing a swap order, you give permission to whatever instruction it contains — in this case, permission to take a given NFT from your wallet.
Using swap orders enables NFTs to be traded directly between users’ wallets — the trade can either be for another NFT, for crypto, or for a mixture of both. The precise conditions of the trade are determined by whoever creates the order.
Once created, the swap order will have its own page containing full details of the trade, including: a picture of the tokens being traded, a link to the OpenSea page showing the host smart contract for the token and a link to the Etherescan page showing full detail of that smart contract.
How did the scam work?
In this case, the victim was contacted directly by the scammer via a private message. The scammer proposed a swap between two MAYC tokens, volunteering to throw in some extra ETH as part of the deal. The scammer then created the swap order, and sent the code to the victim.
Although the swap page appears clear and transparent, there’s a lot of detail it doesn’t show.
For example, it really doesn’t prove anything in terms of what collection the incoming NFT is coming from. Remember, any image can be minted onto the blockchain; the only way to really be sure it is from a genuine collection is to examine the underlying smart contract. This can be done by clicking on the Etherscan embed within the page.
A look at the smart contract specifics on Etherscan would have revealed a couple of big red flags about this swap.
- A brand new smart contract: the fake NFT belonged to a smart contract created just the day before the swap — the genuine MAYC collection was first minted in August 2021.
- Name spelled incorrectly: the NFT contract name contained a spelling error, a sure sign it wasn’t the real deal.
By not cross-checking the token using Etherscan, the buyer missed key opportunities to detect the scam — and effectively sold their MAYC for a fraction of its worth (the ETH throw-in element of the deal was valid, thanks to the SudoSwap protocol)
How to avoid the NFT swap order scam?
Web3 is full of scams and dupes — but we have great news for you: with absolutely everything existing on-chain, you have more power than ever to look behind the scenes and check out exactly what you’re buying.
Here are a few different ways you can spot this scam yourself.
When swapping, always use Etherscan to:
- Check the contract creation date or when the tokens were first minted to ensure they match the real collection
- Check out the transaction activity to see if the trading volume matches what you’d expect from a big collection
- Verify that the Etherscan page itself is genuine by cross-checking the contract ID with the project’s official site or Opensea
- Check for spelling errors in the name of the contract page
Final Thoughts
Web3’s buzzing internet of value presents a world of new options, all of them accessible directly from your wallet. But here, your hard-earned crypto is always at stake — and mistakes don’t have an “undo” button.
That’s why it’s never been more important to understand what types of scam are being deployed, and how to spot them. NFTing is here to help you with that.
All Comments