We’ve all heard of the scam, where on mint your wallet gets drained of all of its funds and NFTs. @hoaktrades on Twitter has outlined a few things we can watch out for before authorising the mint procedure.
To avoid getting your wallet drained on a mint:
When you get the Phantom pop-up to approve the transaction take a look at the number of instructions, if it’s only 1 instruction and you read “Transfer”, DO NOT ACCEPT.
A typical Candy Machine mint is composed of 5 instructions:
Create Associated Token Account
This last instruction will be the one interacting with the Candy Machine, and you can easily see if it’s legit or not. This is the mechanism used by many Solana NFT websites.
This is what a candy machine mint transaction looks like: If they are claiming to use a candy machine and it looks different, one should second guess it
IMPORTANT! Create a burner wallet
If your main wallet is Phantom, maybe create a Sollet wallet that you purely use for minting/ engaging with websites. Alternatively create a new wallet address on Phantom.
A “burner wallet” is not a new wallet where “new” is defined by having a different seed phrase. A “burner wallet” is a key pair that is not the main one where you hold most of your funds.
When you do “create new wallet” on Phantom it merely derives a new key pair from your original seed phrase, but this is fine! When you do this, even if you get the real rug (a wallet sweep attack) they cannot take funds from your main wallet.
There are several types of ‘rugs’ in Solana at the moment:
- System Program Transfer: The programs claim to be using Candy Machine or Fair Launch Protocol but what happens is when you click the Mint button you get a transaction that only calls System Program to transfer lamports and you get literally nothing in return. This rug is very different from the transaction images above, there’s only 1 instruction instead of 5 which is easy to notice!
- Wallet Sweep Attack: This is more complex, this attack is a custom program that, when you sign a transaction, nearly ALL funds and NFTs in that wallet CAN GET STOLEN. Put only what you need in the wallet engaging in the transaction.
- Not getting what you paid for…: there’s also the case where the project is actually using a Candy Machine but the NFTs you end up getting is completely different from what was marketed and thus you still get rugged.
1) DO NOT USE AUTO APPROVE, CHECK WHAT YOU SIGN
2) USE BURNER WALLETS
3) PRAY TO THE CRYPTO LORDS THE ART IS WHAT WAS MARKETED