We’re still in the Wild West days of Web3. As the crypto ecosystem grows, so have the number of bad actors looking for ways to steal user’s funds. The rapid growth in popularity of NFTs has led to an increasingly prevalent method of attack for scammers – Spam NFTs.
Why Spam is a Difficult Problem
Spam is a hard problem to solve. Bad actors are taking advantage of Solana’s low transaction fees to exploit iconic mechanics of web3, such as NFT airdrops.
These unwanted NFTs often claim to give users a free gift/NFT if they click a link in the description. Clicking the link leads the users to a site where typically one of two things happen:
Users are asked to approve a transaction to “mint” or “claim” a free NFT, but instead they lose their funds.
They are asked to input their seed phrase, which results in a total loss of funds.
These scams are becoming increasingly more sophisticated. For instance, after a contract address and domain is identified as malicious, scammers can change the metadata of an NFT to try to avoid being blocklisted. It can feel like an endless game of whack-a-mole, but one we’re committed to winning.
Phantom’s Solution
In an effort to protect and give users more control over the contents of their wallet, we are excited to introduce the Burn NFT feature in Phantom across all devices.
To remove unwanted wallet spam, simply select the NFT you want to burn in the Collectables Tab, and select the Burn Token function located in the top-right ellipsis menu. Once an NFT is burned, the token is permanently removed from the wallet and you receive a small deposit of SOL that serves as the "rent" used to pay for storage. And while spam NFTs clutter wallets, they are never dangerous to burn.
This builds upon the blocklist of spam and phishing NFTs we have been maintaining and open source with the community. When our full-time globally distributed team finds out about a scam NFT, the contract address and domain is added to a block list which hides the NFT from the wallet and creates a warning that the site is malicious.
Our blocklist has already 800+ mint addresses of malicious NFT collections and is integrated with how we identify scams in our siteblocking. If you are interested in flagging scams, you can even create a pull request to our blocklist: https://github.com/phantom-labs/blocklist/blob/master/nft-blocklist.yaml
Another way we fight against spam NFTs is through a phishing warning system. We are collaborating with Blowfish to introduce improvements to how we alert users to phishing attempts. When spam NFTs trick users into using a misleading site, we issue a warning on any malicious transactions that could compromise their assets or permissions.
Looking ahead
While we’re introducing NFT Burning today, we’re not stopping there. Users can look forward to more automated spam detection in the future. Using providers like SimpleHash and our own internal reporting, we will be able to gauge if an NFT is likely to be spam. We are excited to roll this out to our users in the coming months.
If you have any questions as a user, the Phantom team would love to hear from you at Phantom Support. For any developers who want more information on how Phantom fights spam, or to report a security finding, please reach out to [email protected]. For any general developer inquiries, please feel free to join our developer discord.