The website of Premint, a popular NFT pass platform, was compromised on Sunday, and losses incurred in the incident are estimated at around $375k, according to the security details shared by CertiK.
Premint NFT website breached
The hacker(s) reportedly injected a malicious JS file onto the Premint website, which lured unsuspecting users into signing a transaction of “setApprovalForAll(address,bool).” This granted the attackers access to steal users’ NFTs and other assets contained in the affected wallets.
Etherscan has flagged four addresses involved in the attack. Certik said the attacker(s) stole about 314 NFTs, including BAYC, Otherside, Globlintownm, and others. The total losses are estimated to be around 275 ETH or $374,417.66 at the current market price. This makes “it one of the largest NFT hacks this year,” CertiK said.
This issue only affected users who connected a wallet via this dialog after midnight Pacific time. Thanks to the incredible web3 community spreading warnings, a relatively small number of users fell for this.
Premint.
Safety measures
Permit’s team issued the warning earlier on Twitter, instructing users not to sign any transaction that asks them to “set approvals for all” and to revoke permission to the wallet if they believe that their wallet was compromised in the attack. The website was temporarily taken down for a fix.
At the time of writing, the website was functional. Premint has passed an update to the website that removes the need for users to log in using their wallets. Users can now use Twitter or Discord accounts rather than wallets when logging back into the platform. “It’s safer and way more convenient. Especially on mobile.”