Generative Art Fraud Proofs

Security Apr 26, 2022

The Ethereum NFT heads may have stumbled on something quite useful. As artists often do.

Generative art has entered the public consciousness recently (or at least mine), thanks to some of the shenanigans over at the Ethereum NFT market.

While I have not researched the history of this specific art form, its likely never had this popularity before, nor this much potential utility to the cybersecurity sector.

Let me explain.

First of all. I'm not interested in the NFT aspect of this at all, I'm talking about the method of art generation specifically.

As far as I can tell, some of these projects are generating content algorithmically based on a flexible but defined structure.

For example. https://ethblock.art/create.

The algo seems to take the initial input, in this case ETH block data. Then uses some aesthetic parameters to transform that into something pretty or at least visually interesting to human beings.

As you manipulate the levers on the right, you get different results.

This on its own is nothing new, really.

But what if the data it was fed, was actually meaningful? Say the terms of a cryptographic contract?

Case in point, the Ape Yatch Club hack on Instagram last week.

Coinbase reports:

"Over $13 million in NFTs was stolen after Bored Ape Yacht Club’s Discord server and Instagram account were hacked, and followers recieved an unofficial “mint” link. “The Hash” group discusses BAYC’s history of phishing attacks and how regulators might react as investors undeservingly lose valuable assets."

The link sent to users by the hacked accounts was simply put, a fraudulent 'smart contract'.

It claimed to be signing a message of some sort, something relatively harmless that could enlist users in an airdrop. But which required the use of the same private keys that held the NFT Apes worth millions. (*insert facepalm emoji here*)

Instead of just signing a message though, it -of course- just sent the monkeys out to the attacker's account instead.

Why is this possible? Well have you ever read the bs metamask spits at you when you sign one of these messages? It probably looked something like this.


A meaningless script to any human not versed in crypto babble.

Now, while it may be tempting to dunk on eth head 20-something-year-olds who felt rich cuz of their overpriced monkey jpegs.

This kind of phishing attack could be launched at Bitcoiners just the same, say with a fraudulent multisig script.

For example. An interface might tell you that you are agreeing to a 2 of 3 multisig, but instead, you signed a 2 of 4, with the attacker controlling 2 keys.

Could you tell the difference?

The computer has to be able to, for you to be able to sign the thing. And that's the point.

Maybe instead of expecting the world to get hip with cryptography. We simply reinterpret cryptographic facts into emojis and let art communicate to the noobs on the other side.

To miss quote George Carlin. If you think the average man is dumb, wait until you meet the other half who is dumber than that.

Another example could be mobile app permisions. While those interfaces are pretty refined by this point, how many people actually read what they are agreeing to? few, I'm sure.

Perhaps if they saw a generative piece, with their pfp giving a microphone, camera and photo album to the app company logo ... maybe then they'd understand what they are signing up for.

This could be done in a deterministic, locally processed way fairly easily I bet. So that it could run offline and not have to be downloaded, risking a man-in-the-middle attack.

Anyway, while I could elaborate on this idea for another 500 words or so, I think I've made my point. Instead, I'll let some finish off this post.  

🙈👉🔑👹💰💨🚀

All the best

Juan Galt

🙃

Tags

Juan Galt

#Bitcoin Evangelist. Shitcoin Minimalist. Loss prevention & recovery nerd. Frog connoisseur. Sometimes writes blog posts.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.