Stelo Labs
@stelolabs
Followers
7K
Following
564
Media
70
Statuses
315
Stelo Labs has shut down. We made crypto safe and easy.
Joined October 2021
We’re sunsetting the Stelo extension, Stelo Explore and as we focus on problems outside web3 security. Stelo Labs is still at it, expect more from us soon. We wrote more about why we’re sunsetting Stelo and what we learned here.
16
4
43
1/ OpenSea's seaport is a versatile contract that can be used for transfers, swaps, bids, sales, and more. But it has a dark side. As @kevinrose found out the hard way, Seaport lets attackers steal ALL your NFTs. An illustrated explainer and how to protect yourself 👇
17
76
238
Today we're announcing three new products to make web3 safe and easy for everyone. We're also excited to announce that we've raised $6m led by @a16zcrypto. First, we're launching Stelo v2 - the Stelo extension you know and love but simpler, faster & easier to use.
21
56
238
Today we're excited to share Stelo - a tool that protects you from web3 phishing and scams. Stelo explains web3 transactions in plain English before they hit your wallet and alerts you if they look malicious. We built Stelo so you can explore web3 with peace of mind.
10
34
211
11/ We reverse-engineered the signature that @kevinrose signed and passed it through Stelo. If @kevinrose had Stelo this is what he would have seen:
15
40
188
10/ Here are three things you can do today to protect yourself:. 1) Never sign messages or transactions from wallets that hold NFTs. 2) Revoke open approvals using @RevokeCash . 3) Install an extension that analyzes transactions proactively like @stelolabs or @PocketUniverseZ.
2
11
57
🔐Today's @BanklessHQ newsletter had some solid advice to level up your wallet security. @delegatecash for claiming airdrops/mints. @RevokeCash to revoke token approvals. @stelolabs to make every transaction understandable and safe.
3
14
45
Launch day 🚀.
1/ Introducing Stelo Explore: the Universal Interface for every smart contract. We’re in the command line era of interacting with contracts. At @stelolabs we think it’s time for an upgrade.
6
4
29
Over $2.5B worth of crypto has been stolen in the past 18 months. In this two-part report, we deep dive into the major attacks and tooling built to prevent them. The State of Web3 Security: Part 1, Attacks
3
4
32
Early this morning an attacker stole over $4m worth of $DAI and $USDC using a gasless signature attack. This is not just another story of a phishing attack. This one is getting interesting. Read on for this developing story 👇
4
9
23
2/ It starts when you set an "approval" to Seaport when listing an NFT for sale. These approvals are harmless by themselves and are even necessary to sell on OpenSea. But it's like leaving your front door unlocked. So how did attackers enter Kevin’s house and steal everything?.
1
0
23
4/ They have two components - an offer and a consideration. The offer describes what you're listing for sale. The consideration describes what you want in exchange for the offer, usually some ETH or WETH. Simple enough. But here's where things get interesting.
1
0
20
5/ We're grateful to have the backing of @a16zcrypto @firstround @pearvc @BoxGroup @chainforestxyz @opensea @homebrew @louisberyl @sabrinahahn @zoink @gokulr @dwr @lennysan @XooglerCo @marcbhargava @akashgarg @tmcleod3 and many more incredible angels.
3
1
23
3/ Kevin landed on a phishing website that asked him to sign a gasless signature. On the surface it looked like any other Seaport listing - one you'd use to list an NFT for sale. So how'd it steal all of Kevin's NFTs? Well, that's the thing about Seaport listings. .
2
0
20
5/ Considerations can be sent to ANYONE!. This is used, for example, to send royalties to the creator and platform fees to OpenSea. But wait, it gets even more interesting.
1
0
18
9/ It sucks, but that’s the downside of Seaport. But all hope is not lost - there are tools and best practices that you can use to avoid ending up in the same situation as Kevin.
1
0
18
6/ Considerations can be used to send ANY asset… including… the assets in the offer themselves. If that sounds confusing, it’s because it is! Let’s explain it with a diagram.
1
0
18
7/ Okay, so back to Kevin. At some point in the past, Kevin set approvals for his Autoglyphs, Squiggles, etc. to OpenSea. Then, he landed on a phishing website and signed a Seaport signature that looked like this:
3
0
17
Our mission at Stelo Labs is to make web3 more secure and usable so that you can explore the frontier with confidence and peace of mind. You can download Stelo from our site, let us know what you think!.
0
1
18
4/ Finally, we're launching @approvals_xyz - an intuitive way to understand your token approvals and revoke them. recommends which approvals to revoke and a health score to understand your risk. Check it out and share your score!.
3
0
16
New milestone unlocked 🔓. Thousands of people are trusting us to keep them safe every day. We're proud to be protecting wallets with assets worth over $200m
4
1
17
1/ We believe in security through openness, so today we’re open-sourcing the Stelo extension!. We encourage you to . 1. Try and find vulnerabilities in our approach.2. Install the extension directly from source. More about how Stelo works below 🧵.
1
2
16
8/ The attacker submitted this signature in a transaction to the Seaport contract. Since Seaport already had approvals to Kevin’s NFTs, it was able to transfer them all to the recipient specified in the considerations. Here’s the transaction:
2
0
15
In Part 1 of the State of Web3 Security Report, we wrote about the major attacks of the past 18 months. This week we're writing about solutions. The State of Web3 Security: Part 2, Tooling
1
4
14
Had a great call with the @proof_xyz community on wallet security and best practices. Thanks for having us!.
1
1
16
Announcing Stelo 2.0.6 with some big new features. Stelo now works with every @WalletConnect wallet including @rainbowdotme @uniswap @trustwallet. Stelo now supports @arbitrum and @0xPolygon with @optimismFND coming 🔜. That's not all- Stelo now lets you launch trusted dapps👇
3
6
13
Thank you for the love Kevin 💜 We're devastated by what happened but even more committed to making web3 more secure and usable. 👋 Hi new followers! . Say hi and introduce yourself below and let us know if you have any product feedback 👇👇.
Just installed this today, a solid team backed by @a16zcrypto.
5
1
15
We have a bunch of new features we launched this week that we’re excited to share. 1. @safe (formerly Gnosis Safe) support.2. Seaport bulk listing experience.3. Stelo Risk Engine.4. Our new Discord community. Let’s dig in 👇
1
5
14
We ❤️ @skiffprivacy.
.@skiffprivacy is now verified on @stelolabs for privacy-respecting, trustworthy transactions with your wallet!. Try it out at
0
1
11
2/ Since we first launched Stelo we've received a lot of interest from developers wanting to integrate Stelo's intelligence into their products. We heard you - the API that powers Stelo is now available to all.
1
0
14
6/ Whether you're a dev or a degen, NFT trader or DeFi enthusiast - Stelo gives you confidence and peace of mind on your web3 journey. We're on a mission to make web3 safe and easy to understand. Join us by downloading Stelo today.
1
1
14
1/ Web3 security can be a bit overwhelming. Our goal at Stelo Labs is to help simplify it so you can use web3 with peace of mind. Let's dive into a typical Stelo transaction: transferring an NFT to another address 👇
1
3
13
Web3 can be a scary place. In the last year alone over $100m of NFTs have been stolen. Wallets don't help you understand what you're signing. Even with a hardware wallet, you can still sign a malicious transaction and lose your assets.
1
1
13
10000000000000000000x better just became a 10x better and we're ok with that.
Our most requested feature on Stelo Explore after we launched. Now just input the value you want, not the 18 digit version you always mess up. Introducing ✨magic inputs✨ on
2
3
9
⚠️⚠️ New scam alert ⚠️⚠️. There is a new wallet drainer website (mimicshhan dot com) impersonating the official @MimicShhans website. Stelo protects you against this type of Seaport bulk listing attack 💪. Please spread the word @Wii_Mee @FreekyCrypto @BoringSecDAO @Feld4014 🙏
1
2
10
Stelo is a browser extension that works alongside the wallet you already use. It never has access to your private key or seed phrase. Stelo simulates, interprets, and enriches transactions before they hit your wallet so you never have to blind-sign again.
1
1
13
3/ In addition to the API, we also built Stelo Embed - a React SDK that lets you embed Stelo transaction screens into your wallet or dApp, kind of like a rich checkout screen. It gives you all the benefits of the Stelo API in minutes of dev time.
1
0
12
Azuki twitter was hacked tweeted out a wallet drainer. Things seem to be under control and the tweet is deleted. There are lots of exciting projects launching but it's important to stay safe. Here's what Stelo shows.
0
3
11
Stelo's risk engine learns from your interactions and gets smarter over time. When you use Stelo, you not only protect yourself, but also help the entire web3 community stay safe. We call it Web3 Herd Immunity.
1
1
12
2/ Stelo is not a wallet. It cannot move your funds and never has access to your seed phrase or private key. Stelo “wraps” the window.ethereum JavaScript object that wallets like MetaMask inject into websites. Stelo intercepts transactions before they hit MetaMask.
2
2
8
🚩Some classic twitter red flags that are likely scams🚩. - Mint tweet w/ replies off, hundreds of quote tweets.- DM'd a link or offer.- Tagged for "whitelist" spot. But most importantly:.- Does the link try to steal your NFT?. Easier said than done. Stelo is here to help🙏
0
1
10
Companies like @FortaNetwork are going a step further and building an entire decentralized security monitoring network that is protecting billions in TVL.
3
1
11
$ARB (💙,🧡) frens, please stay safe this week -- there are already scam websites popping up. Follow the official @arbitrum account and make sure you have Stelo installed before you interact with any Dapp.
🚨 $ARB Arbitrum Airdrop Livestream🚨. TODAY @hkalodner and @sgoldfed join us on @BanklessHQ . - launch of Arbitrum Governance .- $ARB Airdrop and distribution. 4pm EST TODAY. 👇👇👇 Join us!.
1
0
9
🚩🚩 NEW SCAM. This is a website pretending to be an official @yugalabs marketplace. When you connect your wallet it asks you to sign a hashed message - a big NO. ✅ Stelo protects you from such message-signing attacks.
🚨SCAM ALERT🚨. Yugalabs impersonating account riding an active scam. ⚠️ Notice the i on the fake URL ⚠️. Official is @yugalabs . Please report and block🙏🏼
1
1
10
The SushiSwap hack is a good reminder that even approvals to known contracts can be risky. Use @approvals_xyz to revoke all open approvals and keep your wallet safe.
ICYMI sushi swap has been exploited. Make sure to revoke! . And for good measure, get your wallet health up to 100 by revoking access to all contracts.
1
0
5
We all know to keep our seed phrase safe, but did you know your assets are still at risk if you aren't careful with approvals?. Here’s a primer on setApprovalForAll—an essential function, but also one of the most common attack vectors—and how to stay safe while exploring web3🧵👇
1
4
8
How to spot a web3 phishing attack on Twitter - a comprehensive breakdown of all the red flags to look out for 🚩🚩🚩🚩🚩🚩🚩. 1/ You get tagged by an anon in a retweet
1
2
6
@thefunnyguysNFT @chriswallace We don’t have access to your MetaMask but always good to stay vigilant.
12
0
2
We take site verification very seriously at Stelo since it's so important to trust and security. You can now request site verification Please retweet and tag your favorite sites to keep everyone safe.
1
2
7
As crypto threats evolve, the tools we have to stay safe will too. Learn more about the latest developments in security tooling with part 2 of our state of web3 security report:.
1
1
6
signTypedData is used in many marketplaces to list NFTs for sale. This is what it looks like when listing an NFT in MetaMask:
11
0
3
Thank you to all the Stelo users helping make web3 a safer place. We're thrilled by the reception to the Stelo launch. Let us know if you have any issues - our DMs are open.
0
0
7
Did you know that @opensea didn’t invent the marketplace contract they used for most of their life? . The Wyvern Protocol was developed by a different team and used by OS for four years before their recent upgrade to Seaport. A history of Wyvern:. 1/n.
Congrats to OpenSea on launching their Wyvern integration, allowing users to place bids for any nonfungible token (without even paying gas), now live on mainnet!
1
1
6
It seems like in order to do anything in crypto, you need to sign something. Ever wondered what signing does and why you need to do it?. Here's a guide to signatures and how to stay safe 🧵👇.
1
2
5
Great summary of Wallet Security best practices below + full recording of the Twitter Space. We are fully supportive of the NFT artist community - you are the lifeblood of web3. It's our pleasure to help keep you safe.
1/. Thanks, @benscharfstein & @0xamand, for a fantastic space and free-flow sharing of knowledge. Thanks to my co-hosts @MedusaMarie_art & @PrinceAroraSS. Special mention: @rdtect - for good questions. Recording in the quoted tweet in case you missed the space.
0
2
5
@lxj39631 This is the MetaMask UI — Stelo should have popped up first. Did you see it before this?.
9
0
1
5/ We’re incredibly excited to contribute Stelo to the open, permissionless, interoperable ecosystem of web3 and encourage devs to fork it and build on it. Check out the code and let us know what you think! .
1/ We believe in security through openness, so today we’re open-sourcing the Stelo extension!. We encourage you to . 1. Try and find vulnerabilities in our approach.2. Install the extension directly from source. More about how Stelo works below 🧵.
0
1
6
Make sure to check out part 1 of our report on the major attacks in the last 18 months.
Over $2.5B worth of crypto has been stolen in the past 18 months. In this two-part report, we deep dive into the major attacks and tooling built to prevent them. The State of Web3 Security: Part 1, Attacks
0
0
4
Here's what the victim would have seen if they had Stelo installed.
1
0
5
3/ A malicious extension could modify the transaction before sending it to MetaMask and you might be tricked into signing something malicious even on a trusted site. Stelo does NOT do this – it passes along the exact transaction the website initially sent.
1
1
5
This is what Stelo will show you on malicious websites, preventing you from accidentally signing malicious transactions and signatures. Please encourage your friends and communities to download Stelo.
1
1
5
One of the biggest trends has been the rise of pre-transaction extensions. Crypto has long had usability concerns, but extensions such as @wallet_guard, @_joinfire, @PocketUniverseZ, and (of course) @stelolabs are taking leaps to make it safer to explore web3.
1
0
4
We're very happy to be a supporter of .@BoringSecDAO. Their security classes and community are truly excellent!. The @MurAll_art minting experience was 🔥
Today, in partnership with the awesome team at MurAll, we're releasing our Supporter DAO token. Together I think we've built a cool concept which could be applied across other Public Good Funding Models in the future!. Please, read on!👇
0
1
6
4/ In general, you should be wary of new projects that are closed-source. Even when the developers are well-intentioned, bad things happen. Last month users of the @slope_finance wallet lost more than $8m because Slope leaked seed phrases.
Let's clear some things up with respect to the recent exploit affecting some @solana wallets. While still being thoroughly reviewed by security researchers, the hack was isolated to Slope mobile wallet users.
1
1
6
New scams everyday but none of them can get past Stelo 🫡. This one is a fake @Poolsuite mint (poolsuite dot freemint-fast dot com). @0xFantasy do your thing!
0
2
6
@GoplusSecurity @coinbase @lifiprotocol @realMaskNetwork @MetaMask @iSafePal @soulwallet_eth @Starknet @zerion @ChainbaseHQ @harpieio @wallet_guard excited to join!.
2
0
3
If only there were a product that did all of these steps for you and presented them in a convenient and easy to understand UI. Oh wait. Stelo brings your transactions from black and white TV to technicolor 📺🌈.
Intimidated by the new 🦊 warning?. The FIRST time you list a collection (item) to a marketplace, you'll have to use "Set Approval For All". Why?.The marketplace needs your permission to be able to transfer the NFT / token on your wallet address' behalf if a sale happens. 🧵/1
0
1
5
You can find part 1 of our report on the State of Web3 Security: Attacks, below. Next week we'll follow up with part 2 of our report, the State of Web3 Security: Tooling.
2
1
5
You're only as safe as your weakest link. Secure your seed phrase with a @Ledger .Secure your password with @1Password .Secure your transaction with Stelo.
0
0
5
What's the deal with NFT royalties?. Nearly $2B in NFT royalties have been paid out on Ethereum alone. But royalties are at risk—here's everything you need to know about NFT royalties and why they are the hot topic of the week 🧵 ⬇️.
3
1
5
5/ But when you click the button it turns out they're STEALING your stuff. With Stelo installed you can see that the website is constructing a Seaport signature that will list all your pre-approved assets for 0 ETH.
1
1
3
The crypto community has also rallied to improve access to information. On-chain sleuths like @zachxbt are quick to explain the latest exploit and white-hat hackers are becoming an integral part of keeping the crypto ecosystem secure.
1
0
3
⚠️SCAM ALERT⚠️. The site tries to steal all your NFTs with open approvals on Opensea using a gasless signature attack. We clicked so you don't have to. Stay safe 🫡
1
1
4
Knowledge is power! Please spread the word @Wii_Mee @BoringSecDAO @0xQuit @TiffinMark @KYC_Alliance.
0
0
3
@allnick Sorry to hear that. If you DM is the link we’ll block it to keep others safe. Let us know if there’s anything else we can do to help you understand what happened.
0
0
3
Go to to check your wallet health score and share it in the comments below. Are you a 💯? Let's see what you got 👇.
0
0
4
0
0
4
We’re live! Hear from our founders @benscharfstein and @0xamand as they discuss transaction security with @AlchemyPlatform, @0xPolygon, and @ZenGo.
Want to start building a safer and more user-friendly web3?. Tune in tomorrow for our live conversation with:. @0xPolygon .@ZenGo .@SteloLabs . We’ll be jamming on how to ensure better UX, transaction security and more!.
0
0
4
People are also writing onchain messages to the victim. "I have the information of the person who drained your wallet yesterday and would like to provide you with his information along with proof completely free. The attacker is a 19 year old US citizen."
2
0
2
Smh. don't be like @benscharfstein . Keep your wallet clean with @approvals_xyz.
I got a 55 wallet health score using @approvals_xyz. Get your score and revoke risky approvals. Oy vey, gimme a sec.
0
1
3
Understanding who you’re transacting with should be easier than comparing every single letter of an address. Stelo shows you the receivers most recognizable NFTs, the number of transactions you’ve sent to the address, and warns you if you’ve never sent them anything before.
They use an address with the same first & last few characters as the real transaction you sent; in hopes you will not check the full address, and instead copy theirs in a future txn. (2/3) - More detail here: .
0
0
3
We don't know everything that happened. We'll update as more details emerge. If you have any information, please get in touch.
1
0
4
As a reminder, you don’t need to do ANYTHING to complete the merge. Never trust an email from someone claiming to be MetaMask and definitely don’t type in your seed phrase.
0
1
4
🚨 another phishing website attempting to list your pre-approved NFTs for 0ETH via a Seaport bulk listing. If you have Stelo installed you have nothing to worry about. If you don't have Stelo installed, wyd? 🤔🤔. Download at the link below
🚨 SCAM ALERT🚨. Beware of this new elaborated scam involving AZUKI + LINKTREE + PREMINT. ⚠️All are fake profiles/links⚠️. SCAM profile : @azuklnfts (please report to twitter). true profile is @AzukiOfficial ✅
1
1
4
Multi-chain coming 🔜.
I found a useful tool @approvals_xyz that is scanning your wallet for risky approvals and allows you to revoke them. Unfortunately, it sees only Ethereum approvals, but still, I increased the health of my wallet from 50 to 100 after revoking a few contracts.
0
0
3
At Stelo we believe safety starts with understanding. Stelo asset simulation is now powered by @AlchemyPlatform and we’re excited to see what other developers use it for to make web3 safer.
People send more than 4.5M blockchain transactions every day. but ~99% of people don’t know how to read them. resulting in more than $5B lost in crypto scams in 2022 alone . we’ve built a solution:
0
0
4
. @Highlight_xyz 🤝 @stelolabs.
Just added @Highlight_xyz’s transactions to @stelolabs. Helpful if you’re signing anything created with our tooling that you know it’s safe 🤝
0
1
4
The growth of defi has also expanded the surface areas available to attack. Concerns have shifted from seed phrase security to smart contract exploits and more. As crypto continues to grow, so too will the security threats.
1
0
3
The most recent Phantom seems to be interfering with MetaMask and Stelo. Disabling Phantom seems to fix things -- please dm us if this is happening to you.
1
0
3