Understanding the Threat
Scam links pose a significant risk in the world of cryptocurrency, especially when it comes to minting new tokens. A few days ago, Vitalik's Twitter (or X, or whatever) account was hacked, and a tweet message was posted:
The link is fake, but some people will not notice it because the Twitter card shows phony information, and people will try to claim it. Then, bad things happen.
Identifying Scam Links
Several red flags can help identify potential scam links. However, they involve a lot of effort, and usually, people will not check it. This is where wallets should start catching up ASAP because the safety of everyone is paramount, especially within the web3 ecosystem.
The trick in the previous tweet is that you can put any information in that card, so people can jump without checking anything. The subtle change of the domain is difficult to catch, and as this tweet comes from a genuine verified (sigh) account on Twitter, most people will trust it without double-checking.
Impersonating prominent people is one of the most successful vectors because people usually trust anything they publish. But when an account gets compromised, the links they publish should be verifiable so the users (or even better, the wallets) can double-check if the posted link is valid for the smart contract they are promoting.
Using GPG for signing and verifying minting links
In my head, the only feasible solution was to use GPG so creators, especially smart contract developers of NFTs, could sign their official site with their private key, and anyone could verify it using its public key. In this way, as users, we will be able to verify the posted link once we open it in our browser, or even better, before doing that, we could verify the link is legit because the owner has signed it.
If the Twitter account gets compromised, they could publish a malicious link, but it will be much harder to sign the link unless they have hacked the user's laptop and password to unlock it. If we wanted top-notch security, this could be even "impossible" if the GPG key is stored in a Yubikey, as you will need again to steal the actual hardware and the pin to access it.
While this sounds safe, I was missing the web3 approach to it. And then, I discovered attest.sh
Using attest for signing and verifying minting links
If you don't know, Attest.sh you should check it out. This fantastic solution allows you to create, verify, and revoke on/off-chain attestations.
The exciting part is that you can create a schema that could be re-used by other projects and improve the security among the NFT community.
How would it work
The Attest.sh site has several schemas that you can directly use. For example, a simple way of attesting links would be using the Website URL schema:
With this schema, then you can do an attest that can look like this:
With this schema, we can, as the owners of our NFT contract, attest the official link to our minting project. We will use our wallet address, the same that deployed the contract, in the From field, and in the To, we will use the just deployed contract address.
Then, ANYONE can verify that the link is valid and safe because only the contract deployer would be the one attesting to a valid link to the contract she just deployed.
This will be as secure as the wallet and the person who manages it. While soft wallets will be mildly secure, the best way would be with a hardware wallet or, even better, a multi-sig wallet. In the last two cases, only by stealing the hardware wallet and knowing the pin or hacking the multi-sig wallets would it be possible to publish a fake link to the minting site.
The best part of the attestations is that you can do them on-chain, so the wallets could verify this automatically when you are trying to mint to warn you or even forbid you to sign any transaction to protect you from fake links.
Now you might wonder: what if the link has expired, or if we want to change it? If the link has expired or has been updated, they can always revoke the attestation and create a new one with the updated URL.
Signing links could be the way to build trust within the NFT community, especially for those projects that have tons of users. When they have to publish a new project, they have to tell people to check retweets from other founders and double-check on Discord to know that the link is legit and none of the owners' accounts have been hacked (this has happened so many times on Discord that I've lost the count).
The process will be as simple as publishing the link and the attestation so anyone can verify that the attest was created by the wallet that deployed the contract and that the contract's owner is the attestation recipient.