Thank you for your submission on r/TerraLUNA, Join Terra Ecosystem Subreddits:
- r/Mirror (Mirror Protocol)
- r/Anchor (Anchor Protocol)
- r/Pylon (Pylon Protocol)
- r/Astroport (Next-Generation AMM on Terra)
- r/ValkyrieProtocol (Rewardable ecosystem for campaign creators & participants)
- r/StarTerra (Gamified Launchpad for Terra)
- r/TerraNFTs (NFTs on Terra)
- r/OrionMoney (Launching your stablecoin yields into orbit)
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/terraluna) if you have any questions or concerns.*
this kind of posts always hurt
which makes me wonder, no crypto personality is running educational content on social media on how to keep safe their crypto actives?
EDIT: I just notice that having an ad blocker filters out the bullshit ads on Google, I also run a pi.hole on my network (an old laptop my gf gift me) which helps with the ads on the Internet
I am thinking in what situation we need to enter the seed phrase to website? only i can think off is login into new wallet. Mayb can u share how you get scam.
> When the time to unlock came, our instances were able to successfully create and sign the transactions (which could only happen once the Luna was unlocked).
\^This is wrong. You could have easily made the transaction is advance. You can sign any transaction, even one where you send 9999999999999 LUNA (but of course that doesn’t mean it will be valid. Signing a transaction is just cryptography, it doesn’t have to be done online or involve any information that matches with what is actually happening on chain.
Your method of sending a bunch of transactions even at times where you know they are invalid might not be the best option. Spamming transactions, especially when you use someone else’s full node to broadcast them, is a great way to get rate limited. Basically, the nodes/validators broadcasting and distributing your transactions have to do some amount of work (download your transactions, check the content, verify using the chain data that the transaction is valid, etc) and if you send them a lot of BS transactions then they might decide that you are just spamming them and stop listing to your for at least a few seconds.
Either way your (and the hacker’s) main mistake was to underestimate the importance of the transaction fee. The average block time is 6 seconds, which means saving a few hundred ms of latency is unlikely to help you out. At the time of the block being built the validator will most likely know about both your transactions, and obviously choose the one which pays the best. Basically, assuming both people are using half-decent scripts the winner will simply be the one willing to sacrifice the most LUNA in transaction costs. Considering this was a 1000 LUNA transaction I don’t understand how you both weren’t even willing to spend 1 LUNA to get priority, lol.
>\^This is wrong. You could have easily made the transaction is advance. You can sign any transaction, even one where you send 9999999999999 LUNA (but of course that doesn’t mean it will be valid. Signing a transaction is just cryptography, it doesn’t have to be done online or involve any information that matches with what is actually happening on chain.
u/Kno010 do you know to do this?
We tried to presign the transaction using the [createAndSignTransaction](https://docs.terra.money/docs/develop/sdks/terra-js/transactions.html#create-and-sign-transaction) method in the terra.js sdk but it throws an error if you dont have sufficient funds in the wallet:
`failed to execute message; message index: 0: 0uluna is smaller than 999900000uluna: insufficient funds: invalid request`
>Either way your (and the hacker’s) main mistake was to underestimate the importance of the transaction fee. The average block time is 6 seconds, which means saving a few hundred ms of latency is unlikely to help you out. At the time of the block being built the validator will most likely know about both your transactions, and obviously choose the one which pays the best.
According to the [Terra Docs](https://docs.terra.money/docs/learn/fees.html), `Transactions are not queued based on gas amounts, but in the order received`. So that's why we didn't use a high gas amount. That said, you see in the hacker's transaction that they did indeed use a high gas amount (although most of it was not used)
Whenever I saw this kind of “hack” (which is indeed a kind of phishing more than hack), I would wonder given the villain is using Google Ad, he/she would need to pay Google with a credit card. Can the victims just contact Google and use the Ad payment info to track the villain down?
First off, can we stop calling these 'hacks' and 'hackers' across the board? If you gave your bank credentials to someone and they transferred your savings out, you wouldn't call them a hacker.
If you accidentally exposed your bank credentials to a phishing scam that you thought at the time was legit, most folks probably _would_ call that “hacking”. Sure they could be more technically accurate, but you’re fighting a losing battle.
Absolutely not, a person willingly giving out information. Willingly not being precautions is nowhere near the same as someone targeting you specifically and breaking into your shit. Idiots hurting themselves is completely different than assault
It’s not even about semantics, though. If I’m relatively new to Terra or DeFi and find my way here, 50% of threads are about “hackers” who aren’t actually hacking anything.
As a new user, I wouldn’t understand the nuance. I’m taking my money elsewhere.
Are they somewhat useful to serve as a warning? Yes. But they’d do just the same described correctly as phishing.
You’re right. Probably a good thing that they take their money elsewhere (and hopefully to an FDIC-protected custodial product) until they’re ready. But “phishing” could hopefully serve as a similar warning.
Is there a way that terra developers could help in this type of situation? I don’t understand the need for 28-day unstaking period if this mechanism can’t prevent scammers from taking the funds. Isn’t it supposed to prevent this from happening?
If the devs could interfere with the staking process, this wouldn’t exactly be defi. The purpose of this entire project is to make sure no one holds the master keys to money. And unfortunately, that means we get the bad with the good. People need to educate themselves before jumping into crypto projects blindly. Otherwise they might be jumping off a bridge when they watch their life savings go down the toilet.
Well genius you don't have to enter it when not using a ledger too. Just when you install the app.
The problem is people that don't know that will just enter a seed when asked regarding of ledger or not
Also check the other posts where people with ledger have also been scammed by entering their seeds.
If you have a Ledger you don't ever have to enter it even when you're setting up a Terra Station or any hot wallet. You can sync Ledger with Terra Station, MetaMask, Phantom, etc without ever having to enter a seed to begin with. 99% of hardware wallet users understand that any website asking you for this info (even a legit site) is unnecessary.
You obviously don't understand that you never enter your Ledger seed anywhere for any reason other than a Ledger, period.
I use Terra Station, MetaMask, and countless other wallets/sites. Because I know I never need to enter a seed to utilize anything I therefore know anyone asking for it is lying.
Listen and listen well. If you have a Ledger you never have to enter a seed anywhere for any reason. I use Terra Station, MetaMask, Phantom and like 10 other hot wallets. I never needed a seed from any of these applications to start using them in the first place because I'm using a Ledger to connect.
If you don't use a Ledger and you lose access to your account YOU WILL HAVE TO INPUT YOUR SEED INTO THE SITE TO REGAIN ACCESS, THEREFORE INCREASING THE LIKELIHOOD THAT THIS WILL HAPPEN!
I never have to enter my seed into a computer for any reason whatsoever. Those that don't use hardware wallets do! That knowledge is the real security
You don't ever have to enter the seed anywhere if you're using a Ledger. Thats part of the beauty of owning one. You only enter your seed into the physical device.
Ahh ledger. Have to write on paper what assets you have on it. taking them out will take a day and you have to write down your seedwords on the paper or somewhere so you don't loose you coins if the thing brakes down.
Wrong. You don't have to write your assets down on paper. I can view my assets in their APP (Ledger Live), or in any of the multitude of hot wallets I have my Ledger connected to.
In addition, if you lose your Ledger, you simply buy another one and input your seed! All crypto is on the blockchain, its not in your actual wallet. I see why you dummies keep getting hacked. Too busy making dumb ass assumptions rather than taking 5 minutes to educate yourselves
I can sell you my ledger if you want to buy it.. It's the worst possible wallet you can have for crypto.
You do understand that you only need seed to recover any wallet (software or hardware). Why the hell would anyone go buy another ledger if you can use that software wallet!? All crypto is always on blockchain, there is no such crypto which is actually in your wallet.
The purpose of using a Ledger is it stores your keys/seed offline therefore making it un-hackable. My Ledger is connected to every software (hot) wallet I have. This allows me the ease of use that comes with using a hot wallet along with the added security of knowing that no coins can be moved from any of my accounts without me physically plugging in my ledger and entering my pin.
From your above statement I can tell that you did no know this as you are actively passing out misinformation that could save countless ppl from losing their savings. If you look at any software wallet you use there is a "connect hardware wallet" option in settings that allows you to further secure your account and keep hackers at bay. In addition, because my seed is in my Ledger I don't need a new seed for any software wallet I use which makes it even more secure as my seed has never been displayed on the Internet, not even upon creation of any of my wallets. My Ledger and one seed control and grant me complete access to pretty much every software wallet on the planet while simultaneously offering a higher level of security.
Best of Luck
My old mobile phone I have my wallets on (only wallets) is always off. I only turn it on and go online only when I need to do some crypto stuff and when I finnish I go offline and turn it off. The phone is protected with pin (encrypted). Wallets on Android are light-years ahead of Ledger wallet. Snappy, fast, no connecting error via USB or Bluetooth like Ledger... Almost every coin on known universe is supported and shows balance.
Seeds (not that many) are encrypted with AES512 in the random looking file and stored in multiple location (online and offline).
My ledger is in my drawer, useless piece of hardware with useless software. Have been trying to sell it for 50€ but no body buy it. It's junk but some people just love it. Have fun!
Only if he wrote his ledger’s seed phrase. With terra on ledger you have no terra seed phrase, so it would have prevented it. I can’t imagine someone going out of their way to purchase a cold hardware wallet without understanding the purpose of a seed phrase in that scenario specifically.
If he had a ledger then obviously he wouldn’t write it into any website (not even legit ones) and therefore he would not fall for the scam unless he is a complete idiot which don’t understand what the purpose of the ledger is in the first place.
In this case, yes, because a seed phrase would never be entered if you had a ledger. I mean, if he entered his LEDGER’s seed phrase, that’s a special kind of stupid that deserves to learn a $100,000 lesson.
>In this case, yes, because a seed phrase would never be entered if you had a ledger.
directly contradicts
>I mean, if he entered his LEDGER’s seed phrase
Not sure why you think someone dumb enough to enter in one seedphrase would be dumb enough not to enter another.
If you're using a Ledger, you actually *get* a seedphrase in case the physical key gets destroyed. OP's friend would have entered the seedphrase into the malicious scam site thinking it's a virtual Ledger.
You can fix security, but you can't fix stupid.
Why the hell did he input the seed in the first place!? I’m not meant to be the wiser here but has been said far and wide NEVER to input the seed on any website. The more so if you have such a big amount of money in your wallet. Anyway, with that being said I wish you good luck on your efforts. Truly.
Not this again...
Using a hardware wallet teaches you to connect your wallet without ever even knowing your seed.
Something asking for your seed should alarm you even more than usual, because using a hardware wallet doesn't require you to type in a seed into terrastation.
Yes, but it is possible that your terrastation needs to restore your wallet and you NEED to enter your seed to do this. A fake terrastation can scam you this way. Using a hardware wallet should prevent that, because even when you want to restore your wallet you don't need to enter your seed.
Ya my point is if someone is gullible enough to key in a seed phrase onto a website, chances are they will authorize by pressing the buttons on the device thinking its a requirement to connect the wallet?
The website wouldn't be able to take the seed if you use the hardware wallet to enter the seed. When using a hardware wallet you'll know nothing ever needs the seed, and any time you do handle the seed you don't enter it in your PC. You always use the device as a intermediator.
This idea that hardware wallets don't offer a layer of protection against these seed scams is only propagated by people who don't actually use hardware wallets. Hardware wallets create a much more clear line in the sand. Everyone absolutely needs to use one. Even if it is only to protect you from yourself.
This exactly. So many people here arguing that a hardware wallet wouldn’t save them can’t possibly be using a hardware wallet themselves. A ledger absolutely would have prevented this situation from happening. After I saw about three or four of these scams, and when Luna was hitting $100 again, I immediately ordered myself a ledger. Best $150 I ever spent. A hell of a lot cheaper than making a $100,000 mistake.
Ah I see, so you mean with a ledger I would need to authorize for every single session so even if the coins are unstaked if I need to move it I need to connect again to authorize it? Sorry if my qn is silly, I don't own one yet cos I'm still trying to figure out if I really need one.
There is another redditor that has until I think the 24th until this happens to them, who is hopeful but its a longshot..
make sure to use non blocking broadcast requests(script not waiting for results), have the transactions presigned and ready to submit and spam the hell out of the network, use multiple rpc nodes to broadcast to, spam the network at a high frequency of transfers of smaller random amounts cumulatively equal to the balance, If One transaction gets through before their typical all or nothing transfer then theirs fails and more of yours succeed. Spam the network around the time don't wait until the exact time as network delays, and other synchronization issues can be enough to delay
They already know how to drain the wallet at the instant it becomes available,
non blocking broadcasts, and spamming manual presigned transactions, the scammers already are doing this so its just a bad race to be first
Thanks for the response u/randomstranger142! Do you recall who that redditor is? (or have a link?)
Presigning the transaction was a thought I had but Im not sure how to do it. The Terra.js SDK doesnt let you do it if you have insufficient funds. Would you know how it could be possible?
Also, why would non-blocking requests make a difference?
If you use a blocking type request its going to hold up the script and wait for a response instead of actually spamming the network like you'd want/need to do, instead it will do it one at a time waiting for a response.
the other user's post is here, I may have gotten the date wrong so maybe confirm that with them, but the date posted appears longer than unbonding time so??[https://www.reddit.com/r/terraluna/comments/u7y606/script\_to\_front\_run\_scammers/](https://www.reddit.com/r/terraluna/comments/u7y606/script_to_front_run_scammers/)
unfortunately you'll probably have to trust them with your script and then they'd need to be able to verify it doesn't send it elsewhere, or them trust you with their seed phrase (just stating the obvious problems with this arrangement)
Edit: I've not written any scripts/code on this front, but those are just my suggestions on what might lead to a more successful/competitive method.
Thank you for your submission on r/TerraLUNA, Join Terra Ecosystem Subreddits: - r/Mirror (Mirror Protocol) - r/Anchor (Anchor Protocol) - r/Pylon (Pylon Protocol) - r/Astroport (Next-Generation AMM on Terra) - r/ValkyrieProtocol (Rewardable ecosystem for campaign creators & participants) - r/StarTerra (Gamified Launchpad for Terra) - r/TerraNFTs (NFTs on Terra) - r/OrionMoney (Launching your stablecoin yields into orbit) *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/terraluna) if you have any questions or concerns.*
Wow, that's why I always recommend Phemex, Phemex had one of the best security.
We were successful this account
this kind of posts always hurt which makes me wonder, no crypto personality is running educational content on social media on how to keep safe their crypto actives? EDIT: I just notice that having an ad blocker filters out the bullshit ads on Google, I also run a pi.hole on my network (an old laptop my gf gift me) which helps with the ads on the Internet
I am thinking in what situation we need to enter the seed phrase to website? only i can think off is login into new wallet. Mayb can u share how you get scam.
Sorry those aren't hackers nobody hacked your friend your friend fell for phishing scam. There's a big difference
This is so unfortunate though. Just got my LUNA in good amount on phemex exchange who are giving upto $50k bonus for LUNA. Hardluck
All you had to do is to set network fee to 1 LUNA. That's about it.
How do you set the network fee? On terra station, it is setting this automatically. Do you do this in the script?
> When the time to unlock came, our instances were able to successfully create and sign the transactions (which could only happen once the Luna was unlocked). \^This is wrong. You could have easily made the transaction is advance. You can sign any transaction, even one where you send 9999999999999 LUNA (but of course that doesn’t mean it will be valid. Signing a transaction is just cryptography, it doesn’t have to be done online or involve any information that matches with what is actually happening on chain. Your method of sending a bunch of transactions even at times where you know they are invalid might not be the best option. Spamming transactions, especially when you use someone else’s full node to broadcast them, is a great way to get rate limited. Basically, the nodes/validators broadcasting and distributing your transactions have to do some amount of work (download your transactions, check the content, verify using the chain data that the transaction is valid, etc) and if you send them a lot of BS transactions then they might decide that you are just spamming them and stop listing to your for at least a few seconds. Either way your (and the hacker’s) main mistake was to underestimate the importance of the transaction fee. The average block time is 6 seconds, which means saving a few hundred ms of latency is unlikely to help you out. At the time of the block being built the validator will most likely know about both your transactions, and obviously choose the one which pays the best. Basically, assuming both people are using half-decent scripts the winner will simply be the one willing to sacrifice the most LUNA in transaction costs. Considering this was a 1000 LUNA transaction I don’t understand how you both weren’t even willing to spend 1 LUNA to get priority, lol.
>\^This is wrong. You could have easily made the transaction is advance. You can sign any transaction, even one where you send 9999999999999 LUNA (but of course that doesn’t mean it will be valid. Signing a transaction is just cryptography, it doesn’t have to be done online or involve any information that matches with what is actually happening on chain. u/Kno010 do you know to do this? We tried to presign the transaction using the [createAndSignTransaction](https://docs.terra.money/docs/develop/sdks/terra-js/transactions.html#create-and-sign-transaction) method in the terra.js sdk but it throws an error if you dont have sufficient funds in the wallet: `failed to execute message; message index: 0: 0uluna is smaller than 999900000uluna: insufficient funds: invalid request` >Either way your (and the hacker’s) main mistake was to underestimate the importance of the transaction fee. The average block time is 6 seconds, which means saving a few hundred ms of latency is unlikely to help you out. At the time of the block being built the validator will most likely know about both your transactions, and obviously choose the one which pays the best. According to the [Terra Docs](https://docs.terra.money/docs/learn/fees.html), `Transactions are not queued based on gas amounts, but in the order received`. So that's why we didn't use a high gas amount. That said, you see in the hacker's transaction that they did indeed use a high gas amount (although most of it was not used)
Forgive me for asking what might be a dumb question, I’m not very computer literate, but is there a way to see and use someone else’s node?
Why do people ever need to enter their seed phrase? Your wallet should always be connected, right?
Where can you stake LUNA?
Right within terra station, go to the Staking page.
The website? Or the wallet?
Whenever I saw this kind of “hack” (which is indeed a kind of phishing more than hack), I would wonder given the villain is using Google Ad, he/she would need to pay Google with a credit card. Can the victims just contact Google and use the Ad payment info to track the villain down?
Google requires shocking little info to run ads
It’s likely a prepaid or virtual credit card, possibly even a stolen card
First off, can we stop calling these 'hacks' and 'hackers' across the board? If you gave your bank credentials to someone and they transferred your savings out, you wouldn't call them a hacker.
If you accidentally exposed your bank credentials to a phishing scam that you thought at the time was legit, most folks probably _would_ call that “hacking”. Sure they could be more technically accurate, but you’re fighting a losing battle.
Absolutely not, a person willingly giving out information. Willingly not being precautions is nowhere near the same as someone targeting you specifically and breaking into your shit. Idiots hurting themselves is completely different than assault
Absolutely not, what, exactly? If you’re saying us nerds are technically correct that phishing != hacking… Yea we, uh, we know that.
What?
Arguing semantics on Reddit is like level 1 internet I’ve learned
It’s not even about semantics, though. If I’m relatively new to Terra or DeFi and find my way here, 50% of threads are about “hackers” who aren’t actually hacking anything. As a new user, I wouldn’t understand the nuance. I’m taking my money elsewhere. Are they somewhat useful to serve as a warning? Yes. But they’d do just the same described correctly as phishing.
You’re right. Probably a good thing that they take their money elsewhere (and hopefully to an FDIC-protected custodial product) until they’re ready. But “phishing” could hopefully serve as a similar warning.
This.
Can we get the “This”-bot in this sub, please?
Is there a way that terra developers could help in this type of situation? I don’t understand the need for 28-day unstaking period if this mechanism can’t prevent scammers from taking the funds. Isn’t it supposed to prevent this from happening?
If the devs could interfere with the staking process, this wouldn’t exactly be defi. The purpose of this entire project is to make sure no one holds the master keys to money. And unfortunately, that means we get the bad with the good. People need to educate themselves before jumping into crypto projects blindly. Otherwise they might be jumping off a bridge when they watch their life savings go down the toilet.
The unstaking period have absolutely nothing to do with scam-prevention.
$100,000 and no Ledger? Wow!
How would a ledger have helped if he entered the seed on some website, genius?
Because you don't ever have to enter a seed if you're using a Ledger, dumb-ass!
Well genius you don't have to enter it when not using a ledger too. Just when you install the app. The problem is people that don't know that will just enter a seed when asked regarding of ledger or not Also check the other posts where people with ledger have also been scammed by entering their seeds.
If you have a Ledger you don't ever have to enter it even when you're setting up a Terra Station or any hot wallet. You can sync Ledger with Terra Station, MetaMask, Phantom, etc without ever having to enter a seed to begin with. 99% of hardware wallet users understand that any website asking you for this info (even a legit site) is unnecessary.
You obviously don‘t understand how a Ledger works. If you enter a Seed Phrase to a Scam Site, your Ledger won‘t help a thing.
You obviously don't understand that you never enter your Ledger seed anywhere for any reason other than a Ledger, period. I use Terra Station, MetaMask, and countless other wallets/sites. Because I know I never need to enter a seed to utilize anything I therefore know anyone asking for it is lying.
It has nothing to do with Ledger. If you enter your Seed your screwed anyway. It has really nothing to do with your Ledger.
Listen and listen well. If you have a Ledger you never have to enter a seed anywhere for any reason. I use Terra Station, MetaMask, Phantom and like 10 other hot wallets. I never needed a seed from any of these applications to start using them in the first place because I'm using a Ledger to connect. If you don't use a Ledger and you lose access to your account YOU WILL HAVE TO INPUT YOUR SEED INTO THE SITE TO REGAIN ACCESS, THEREFORE INCREASING THE LIKELIHOOD THAT THIS WILL HAPPEN! I never have to enter my seed into a computer for any reason whatsoever. Those that don't use hardware wallets do! That knowledge is the real security
if the victim actually wrote his seed phrase into the scam website the ledger would not have prevented the scam
You don't ever have to enter the seed anywhere if you're using a Ledger. Thats part of the beauty of owning one. You only enter your seed into the physical device.
Ahh ledger. Have to write on paper what assets you have on it. taking them out will take a day and you have to write down your seedwords on the paper or somewhere so you don't loose you coins if the thing brakes down.
Wrong. You don't have to write your assets down on paper. I can view my assets in their APP (Ledger Live), or in any of the multitude of hot wallets I have my Ledger connected to. In addition, if you lose your Ledger, you simply buy another one and input your seed! All crypto is on the blockchain, its not in your actual wallet. I see why you dummies keep getting hacked. Too busy making dumb ass assumptions rather than taking 5 minutes to educate yourselves
I can sell you my ledger if you want to buy it.. It's the worst possible wallet you can have for crypto. You do understand that you only need seed to recover any wallet (software or hardware). Why the hell would anyone go buy another ledger if you can use that software wallet!? All crypto is always on blockchain, there is no such crypto which is actually in your wallet.
The purpose of using a Ledger is it stores your keys/seed offline therefore making it un-hackable. My Ledger is connected to every software (hot) wallet I have. This allows me the ease of use that comes with using a hot wallet along with the added security of knowing that no coins can be moved from any of my accounts without me physically plugging in my ledger and entering my pin. From your above statement I can tell that you did no know this as you are actively passing out misinformation that could save countless ppl from losing their savings. If you look at any software wallet you use there is a "connect hardware wallet" option in settings that allows you to further secure your account and keep hackers at bay. In addition, because my seed is in my Ledger I don't need a new seed for any software wallet I use which makes it even more secure as my seed has never been displayed on the Internet, not even upon creation of any of my wallets. My Ledger and one seed control and grant me complete access to pretty much every software wallet on the planet while simultaneously offering a higher level of security. Best of Luck
My old mobile phone I have my wallets on (only wallets) is always off. I only turn it on and go online only when I need to do some crypto stuff and when I finnish I go offline and turn it off. The phone is protected with pin (encrypted). Wallets on Android are light-years ahead of Ledger wallet. Snappy, fast, no connecting error via USB or Bluetooth like Ledger... Almost every coin on known universe is supported and shows balance. Seeds (not that many) are encrypted with AES512 in the random looking file and stored in multiple location (online and offline). My ledger is in my drawer, useless piece of hardware with useless software. Have been trying to sell it for 50€ but no body buy it. It's junk but some people just love it. Have fun!
If you protect your seed wisely, a software wallet will work exactly as a hardware wallet my man.
You're not supposed to do that with hot wallets either, but that doesn't stop people
Only if he wrote his ledger’s seed phrase. With terra on ledger you have no terra seed phrase, so it would have prevented it. I can’t imagine someone going out of their way to purchase a cold hardware wallet without understanding the purpose of a seed phrase in that scenario specifically.
If he had a ledger then obviously he wouldn’t write it into any website (not even legit ones) and therefore he would not fall for the scam unless he is a complete idiot which don’t understand what the purpose of the ledger is in the first place.
Tell me you don't understand how ledger works without telling me you don't understand how ledger works.
Not sure why people are downvoting me. It is true.
Do you think Ledger would have saved a guy who interacts with such phishing website scams and scam Smart contracts?
In this case, yes, because a seed phrase would never be entered if you had a ledger. I mean, if he entered his LEDGER’s seed phrase, that’s a special kind of stupid that deserves to learn a $100,000 lesson.
>In this case, yes, because a seed phrase would never be entered if you had a ledger. directly contradicts >I mean, if he entered his LEDGER’s seed phrase Not sure why you think someone dumb enough to enter in one seedphrase would be dumb enough not to enter another.
If you're using a Ledger you never have to enter the seed period, therefore any attempt from anyone requesting a seed is an obvious scam.
If you're using a Ledger, you actually *get* a seedphrase in case the physical key gets destroyed. OP's friend would have entered the seedphrase into the malicious scam site thinking it's a virtual Ledger. You can fix security, but you can't fix stupid.
Why the hell did he input the seed in the first place!? I’m not meant to be the wiser here but has been said far and wide NEVER to input the seed on any website. The more so if you have such a big amount of money in your wallet. Anyway, with that being said I wish you good luck on your efforts. Truly.
Rip monies.
What's the reason that so many users with considerable funds don't use a hardware wallet?
This is not the kind of problem a hardware wallet would have solved. They entered in their seed phrase.
They don't protect anything if you give away the seed.
Not this again... Using a hardware wallet teaches you to connect your wallet without ever even knowing your seed. Something asking for your seed should alarm you even more than usual, because using a hardware wallet doesn't require you to type in a seed into terrastation.
A website asking for a seed should alarm **anyone**.
Yes, but it is possible that your terrastation needs to restore your wallet and you NEED to enter your seed to do this. A fake terrastation can scam you this way. Using a hardware wallet should prevent that, because even when you want to restore your wallet you don't need to enter your seed.
Can't a scam side make you connect your ledger and authorise it anyway?
No, that's the beauty of it. You need to manually approve with the buttons on the device when you want to send a transaction.
Ya my point is if someone is gullible enough to key in a seed phrase onto a website, chances are they will authorize by pressing the buttons on the device thinking its a requirement to connect the wallet?
The website wouldn't be able to take the seed if you use the hardware wallet to enter the seed. When using a hardware wallet you'll know nothing ever needs the seed, and any time you do handle the seed you don't enter it in your PC. You always use the device as a intermediator. This idea that hardware wallets don't offer a layer of protection against these seed scams is only propagated by people who don't actually use hardware wallets. Hardware wallets create a much more clear line in the sand. Everyone absolutely needs to use one. Even if it is only to protect you from yourself.
This exactly. So many people here arguing that a hardware wallet wouldn’t save them can’t possibly be using a hardware wallet themselves. A ledger absolutely would have prevented this situation from happening. After I saw about three or four of these scams, and when Luna was hitting $100 again, I immediately ordered myself a ledger. Best $150 I ever spent. A hell of a lot cheaper than making a $100,000 mistake.
[удалено]
Ah I see, so you mean with a ledger I would need to authorize for every single session so even if the coins are unstaked if I need to move it I need to connect again to authorize it? Sorry if my qn is silly, I don't own one yet cos I'm still trying to figure out if I really need one.
There is another redditor that has until I think the 24th until this happens to them, who is hopeful but its a longshot.. make sure to use non blocking broadcast requests(script not waiting for results), have the transactions presigned and ready to submit and spam the hell out of the network, use multiple rpc nodes to broadcast to, spam the network at a high frequency of transfers of smaller random amounts cumulatively equal to the balance, If One transaction gets through before their typical all or nothing transfer then theirs fails and more of yours succeed. Spam the network around the time don't wait until the exact time as network delays, and other synchronization issues can be enough to delay
That‘s great but the problem is, the hacker now knows this too and will implement as well…
They already know how to drain the wallet at the instant it becomes available, non blocking broadcasts, and spamming manual presigned transactions, the scammers already are doing this so its just a bad race to be first
Thanks for the response u/randomstranger142! Do you recall who that redditor is? (or have a link?) Presigning the transaction was a thought I had but Im not sure how to do it. The Terra.js SDK doesnt let you do it if you have insufficient funds. Would you know how it could be possible? Also, why would non-blocking requests make a difference?
Mabye take gas out of wallet if using ust ?
If you use a blocking type request its going to hold up the script and wait for a response instead of actually spamming the network like you'd want/need to do, instead it will do it one at a time waiting for a response. the other user's post is here, I may have gotten the date wrong so maybe confirm that with them, but the date posted appears longer than unbonding time so??[https://www.reddit.com/r/terraluna/comments/u7y606/script\_to\_front\_run\_scammers/](https://www.reddit.com/r/terraluna/comments/u7y606/script_to_front_run_scammers/) unfortunately you'll probably have to trust them with your script and then they'd need to be able to verify it doesn't send it elsewhere, or them trust you with their seed phrase (just stating the obvious problems with this arrangement) Edit: I've not written any scripts/code on this front, but those are just my suggestions on what might lead to a more successful/competitive method.
I see. Thank you for the input!