🔍 Seaport Zero Order Phishing Attack 🔍
Challenge: Identify Zero Price Phishing Orders in Seaport Protocol
Educational Purpose Only - Phishing Simulation
Scenario Description
You are an NFT collector who owns a valuable Bored Ape Yacht Club NFT. You receive a notification
that someone has made an offer to buy your NFT for 100 ETH. After clicking the link, you see the
following order:
Accept
Offer
Seaport Order Details
{
"parameters": {
"offerer": "0x6278A1E803A76796a3A1F7F6344fE874ebfe94B2",
"offer": [
{
"itemType": 2,
"token": "0xBC4CA0EdA7647A8aB7C2061c2E118A18a936f13D",
"identifierOrCriteria": "8865",
"startAmount": "1",
"endAmount": "1"
}
],
"consideration": [
{
"itemType": 0,
"token": "0x0000000000000000000000000000000000000000",
"identifierOrCriteria": "0",
"startAmount": "0",
"endAmount": "0",
"recipient": "0x6278A1E803A76796a3A1F7F6344fE874ebfe94B2"
}
],
"orderType": 0,
"startTime": "1678969800",
"endTime": "1679574600",
"zoneHash": "0x0000000000000000000000000000000000000000000000000000000000000000",
"salt": "16356",
"conduitKey": "0x0000007b02230091a7ed01230072f7006a004d60a8d4e71d599b8104250f0000",
"totalOriginalConsiderationItems": 1
},
"signature": "0x3c7913f7e9842e432525e3a60c85412f14f824abf4068052732fae7d3ecd8d1e"
}
Your Task
Analyze the Seaport order above and determine whether it is a legitimate purchase order or a phishing
order attempting to steal your NFT.
Please answer the following questions:
1. Is this a phishing order?
-- Please select --
Yes, it's a phishing order
No, it's a legitimate order
2. What would happen if you accept this order?
-- Please select --
I would receive 100 ETH and transfer my NFT
I would transfer my NFT for free without receiving any ETH
Nothing would happen, the order is invalid
3. What is the issue with this order?
-- Please select --
The signature is invalid
The price is set to 0 ETH
The token address is incorrect
There is no issue, the order is legitimate
Submit Answers
Explanation: Seaport Zero Order Phishing Attack
This is a typical Seaport zero order phishing attack. The attacker has created an order that
appears to offer a high price (100 ETH) for your NFT, but in reality, the consideration in the
order is set to 0 ETH.
In the Seaport protocol, orders consist of two parts:
offer : What the seller is offering (in this case, your NFT)consideration : What the buyer is offering in return (should be ETH or other
tokens)
In this phishing order, the key issue is:
"consideration": [
{
"itemType": 0,
"token": "0x0000000000000000000000000000000000000000",
"identifierOrCriteria": "0",
"startAmount": "0",
"endAmount": "0" ,
"recipient": "0x6278A1E803A76796a3A1F7F6344fE874ebfe94B2"
}
]
Notice that both startAmount and endAmount are set to "0", which means if you accept this order, you
would be giving away your NFT for free without receiving any ETH in return.
How to Protect Yourself:
Always carefully check the consideration section in Seaport orders, ensuring that
startAmount and endAmount match the displayed price
Use trusted NFT marketplaces like OpenSea that have built-in protections against these types
of attacks
Don't click on links from unknown sources or accept unverified orders
If a price seems too good to be true, it probably is
Comparison of Legitimate vs. Phishing Orders:
Parameter
Legitimate Order
Phishing Order (Current Case)
offer
ETH from buyer
NFT from seller
consideration
NFT from seller
0 ETH
startAmount/endAmount
Matches displayed price (e.g., 100 ETH)
Set to 0
← Back to Challenges
🔍 Seaport 零訂單釣魚攻擊 🔍
挑戰:識別 Seaport 協議中的零價格釣魚訂單
僅供教育目的 - 釣魚模擬
場景描述
您是一位 NFT 收藏家,擁有一個價值不菲的 Bored Ape Yacht Club NFT。您收到一個通知,有人提出以 100 ETH 的高價購買您的 NFT。您點擊鏈接後,看到以下訂單:
接受報價
Seaport 訂單詳情
{
"parameters": {
"offerer": "0x4276BF06Aebd8A1F3D89a1fd5BF84bFa1B7D03Ce",
"offer": [
{
"itemType": 2,
"token": "0xBC4CA0EdA7647A8aB7C2061c2E118A18a936f13D",
"identifierOrCriteria": "8865",
"startAmount": "1",
"endAmount": "1"
}
],
"consideration": [
{
"itemType": 0,
"token": "0x0000000000000000000000000000000000000000",
"identifierOrCriteria": "0",
"startAmount": "0",
"endAmount": "0",
"recipient": "0x4276BF06Aebd8A1F3D89a1fd5BF84bFa1B7D03Ce"
}
],
"orderType": 0,
"startTime": "1678969800",
"endTime": "1679574600",
"zoneHash": "0x0000000000000000000000000000000000000000000000000000000000000000",
"salt": "16356",
"conduitKey": "0x0000007b02230091a7ed01230072f7006a004d60a8d4e71d599b8104250f0000",
"totalOriginalConsiderationItems": 1
},
"signature": "0x3c7913f7e9842e432525e3a60c85412f14f824abf4068052732fae7d3ecd8d1e"
}
你的任務
分析上面的 Seaport 訂單,找出這是否是一個合法的購買訂單,還是一個試圖騙取您 NFT 的釣魚訂單。
請回答以下問題:
1. 這個訂單是否是釣魚訂單?
-- 請選擇 --
是的,這是釣魚訂單
不是,這是合法訂單
2. 如果接受這個訂單,會發生什麼?
-- 請選擇 --
我會收到 100 ETH 並轉移我的 NFT
我會免費轉移我的 NFT 而不會收到任何 ETH
什麼都不會發生,訂單無效
3. 這個訂單中的問題在哪裡?
-- 請選擇 --
簽名無效
價格設置為 0 ETH
代幣地址不正確
沒有問題,訂單合法
提交答案
解釋:Seaport 零訂單釣魚攻擊
這是一個典型的 Seaport 零訂單釣魚攻擊。攻擊者創建了一個看似提供高價(100 ETH)購買您 NFT 的訂單,但實際上訂單中的 consideration(對價)設置為 0 ETH。
在 Seaport 協議中,訂單由兩部分組成:
offer :賣方提供的物品(在這個案例中是您的 NFT)consideration :買方提供的對價(應該是 ETH 或其他代幣)
在這個釣魚訂單中,關鍵問題是:
"consideration": [
{
"itemType": 0,
"token": "0x0000000000000000000000000000000000000000",
"identifierOrCriteria": "0",
"startAmount": "0",
"endAmount": "0" ,
"recipient": "0x4276BF06Aebd8A1F3D89a1fd5BF84bFa1B7D03Ce"
}
]
注意 startAmount 和 endAmount 都設置為
"0",這意味著如果您接受這個訂單,您將免費贈送您的 NFT 而不會收到任何 ETH。
如何保護自己:
始終仔細檢查 Seaport 訂單中的 consideration 部分,確保 startAmount 和 endAmount 與顯示的價格相符
使用可信的 NFT 市場,如 OpenSea,它們有內置的保護機制來防止這類攻擊
不要點擊來自未知來源的鏈接或接受未經驗證的訂單
如果價格看起來好得不真實,通常就是騙局
合法訂單與釣魚訂單的比較:
參數
合法訂單
釣魚訂單(當前案例)
offer
買方提供的 ETH
賣方的 NFT
consideration
賣方的 NFT
0 ETH
startAmount/endAmount
與顯示價格相符(如 100 ETH)
設置為 0
← 返回挑战
🔍 Seaport 零订单钓鱼攻击 🔍
挑战:识别 Seaport 协议中的零价格钓鱼订单
仅供教育目的 - 钓鱼模拟
场景描述
您是一位 NFT 收藏家,拥有一个价值不菲的 Bored Ape Yacht Club NFT。您收到一个通知,有人提出以 100 ETH 的高价购买您的 NFT。您点击链接后,看到以下订单:
接受报价
Seaport 订单详细信息
{
"parameters": {
"offerer": "0x4276BF06Aebd8A1F3D89a1fd5BF84bFa1B7D03Ce",
"offer": [
{
"itemType": 2,
"token": "0xBC4CA0EdA7647A8aB7C2061c2E118A18a936f13D",
"identifierOrCriteria": "8865",
"startAmount": "1",
"endAmount": "1"
}
],
"consideration": [
{
"itemType": 0,
"token": "0x0000000000000000000000000000000000000000",
"identifierOrCriteria": "0",
"startAmount": "0",
"endAmount": "0",
"recipient": "0x4276BF06Aebd8A1F3D89a1fd5BF84bFa1B7D03Ce"
}
],
"orderType": 0,
"startTime": "1678969800",
"endTime": "1679574600",
"zoneHash": "0x0000000000000000000000000000000000000000000000000000000000000000",
"salt": "16356",
"conduitKey": "0x0000007b02230091a7ed01230072f7006a004d60a8d4e71d599b8104250f0000",
"totalOriginalConsiderationItems": 1
},
"signature": "0x3c7913f7e9842e432525e3a60c85412f14f824abf4068052732fae7d3ecd8d1e"
}
你的任务
分析上面的 Seaport 订单,找出这是否是一个合法的购买订单,还是一个试图骗取您 NFT 的钓鱼订单。
请回答以下问题:
1. 这个订单是否是钓鱼订单?
-- 请选择 --
是的,这是钓鱼订单
不是,这是合法订单
2. 如果接受这个订单,会发生什么?
-- 请选择 --
我会收到 100 ETH 并转移我的 NFT
我会免费转移我的 NFT 而不會收到任何 ETH
什么都不會发生,订单无效
3. 这个订单中的问题在哪里?
-- 请选择 --
签名无效
价格设定为 0 ETH
代币地址不正确
没有问题,订单合法
提交答案
解释:Seaport 零订单钓鱼攻击
这是一個典型的 Seaport 零订单钓鱼攻击。攻击者創建了一個看似提供高價(100 ETH)購買您 NFT 的訂單,但實際上訂單中的 consideration(對價)設置為 0 ETH。
在 Seaport 协议中,訂單由兩部分組成:
offer :賣方提供的物品(在這個案例中是您的 NFT)consideration :買方提供的對價(應該是 ETH 或其他代幣)
在這個钓鱼訂單中,關鍵問題是:
"consideration": [
{
"itemType": 0,
"token": "0x0000000000000000000000000000000000000000",
"identifierOrCriteria": "0",
"startAmount": "0",
"endAmount": "0" ,
"recipient": "0x4276BF06Aebd8A1F3D89a1fd5BF84bFa1B7D03Ce"
}
]
注意 startAmount 和 endAmount 都設置為
"0",這意味著如果您接受這個訂單,您將免費贈送您的 NFT 而不會收到任何 ETH。
如何保护自己:
始终仔细检查 Seaport 订单中的 consideration 部分,确保 startAmount 和 endAmount 与顯示的價格相符
使用可信的 NFT 市场,如 OpenSea,它们有內置的保护機制来防止這類攻击
不要點擊來自未知來源的鏈接或接受未經驗證的訂單
如果價格看起來好得不真實,通常就是騙局
合法订单与钓鱼订单的比较:
參數
合法订单
钓鱼订单(當前案例)
offer
買方提供的 ETH
賣方的 NFT
consideration
賣方的 NFT
0 ETH
startAmount/endAmount
与顯示價格相符(如 100 ETH)
设定为 0
← 返回挑战
