Starknet Cryptocurrency "contributions"

Hi,

@RaitoBezarius poked me on Matrix with an offering of 3.500USD that is being presented to Github contributors. I’d be more than happy to contribute those 3.500USD to a NixOS cause that isn’t my private account, but:

As @RaitoBezarius mentioned in his message (“I know this message may sound like my account is compromised or the nigerian prince scam, but, please take the time to review those elements (and you can search on social media to see it’s not totally fake: https://cointelegraph.com/news/starknet-populated-airdrop-hunters-ahead-token-launch-report etc.”) this DOES sound shady.

Also, the links given in the pad that require me to install stuff on my machine from mostly random sources (“ignore the gambling ads, this is totally real currency not gambling and market manipulation”) is EXACTLY that stuff that Cory Doctorow and Troy Hunt have been critizing vocally in the last weeks and months: Troy Hunt: Thanks FedEx, This is Why we Keep Getting Phished

So. Aside from 1:1 private messages I’d like this to be discussed in the open and giving advice on people’s safety here.

13 Likes

I was able to claim the tokens, worked fine.

This looks indeed shady as f*ck but it’s legit. Aidrops (literally throwing stuff in the air) is common in blockchains to spread the word and give tokens to people to boostrap the “community”. You can’t establish a currency if nobody owns any of it.

Ideally when you have 0 trust, set up a virtual machine for the job, or at least a dedicated user. The process here requires:

  • a web browser
  • an extension of that web browser (I recommend Agent X, it’s audited and easy to use)
  • make a backup of the wallet passphrase
  • use your github account to claim the tokens
  • revoke the github access once the tokens are in the wallet

By now, you should have something like 1911.1 STRK tokens, this can be converted to other token or to money, this is up to you, or keep the tokens to use them with the blockchain.

  • transfer the tokens to a marketplace compatible with STRK tokens (kraken or Binance for instance, two major actors here), make a small transfer first to be sure you won’t screw everything :slight_smile:
  • convert your STRK tokens to whatever you want (including money)
  • don’t forget to comply with regulations depending on your country (I guess the minimum is to declare the incomes if you convert to money)
10 Likes

I got a similar unwelcome offer via email yesterday - StarkNet, $3500 face value, GitHub contributors, urgency/FOMO language, and “I know this looks shady af just trust me” are the main matching elements. It was from a name/email/domain I don’t recognize rather than a familiar community member, and the grammar was nearly incoherent, so I was even more suspicious. I believe the message was sent to my committer email address used on my nixpkgs contributions, so perhaps they believe this community is particularly credulous, I don’t know.

I have zero intentions of following even the link in the email, just sharing as a data point of “someone disreputable apparently wants to harvest a lot of random GitHub details in exchange for magic beans”.

1 Like

FWIW the github logo only shares the public information, so it’s not harvesting anything.

2 Likes

I have just sent the whole thing to @edef (as a US person I cannot receive airdrops), and here are my two cents:

If you don’t want any of the money tokens, and you are ok with just sending everything to @edef, you don’t need to install the wallet extension, and you don’t need to touch the blockchain network or even their website yourself. All you do is:

  1. (optional) Create a blank profile in your Chrome/Chromium or Firefox and log into your GitHub account there. This is optional because I am pretty convinced that it’s perfectly safe to do everything even with your regular profile.
  2. Install the Redirector extension and import the rule (after verifying yourself that it only matches those starknet URLs).
  3. Click the GitHub link that connects to your GitHub account via OAuth (verify on the grant page that it says that the app will only have read-only access to your public information).
  4. Send the OAuth token that it shows to @edef. (Update: this happens automatically now.)
  5. Revoke the OAuth app access in settings once done (and wipe the browser profile if you were using a new one).

This process is advertised as a process for US persons, but I really think that it should be the default process for those who is not interested in the money and just wants to help the community.

4 Likes

I get the hesitation, but:

  1. I can see the GH OAuth grant is for strictly public information.
  2. I know I can revoke the OAuth app authorization in GitHub as soon as I’m done.
  3. I trust @RaitoBezarius; I trust @edef.

On the other hand, I also have been around crypto long enough to know what warning signs to look out for, and to know what is “normal” in crypto land (this wouldn’t be my first airdrop, but you know, :us:).

I don’t know diddly squat about Starknet, I doubt it will ever make it up from the bottom of my infinitely long list of “things to circle back to”, but also, it will take <5 minutes of effort to send $3500 into the Nix project, I’m absolutely going to do it. It’s very hard for me to see how this is a net negative.

6 Likes

As I was pondering how to make this money count for something, this is the chain of actions I also was thinking about following.

I can also vouch for the legitimacy of this offer and a bunch of us from Nix Da(rmstadt) successfully claimed it too.

The site and everything surrounding it is super sketchy, so some security measures are certainly in order. The most critical part is that it requires a connection to a sketchy browser add-on and github at the same time which is a large attack surface. I don’t want to enter my GH credentials into a browser with a sketchy add-on installed. However, there is a way around it:

  1. Do all this in a throw-away browser profile with appropriate sandboxing (I used a NixOS graphical ISO in a VM)
  2. Install one of the wallet add-ons (I used Braavos because it works in Firefox)
  3. Do the claim rewards dialog on the STRK site until it asks you to log into GH
  4. Disable sketchy add-on
  5. Log in to GH and the do Oauth
  6. Log out of GH and clear GH cookies
  7. Enable sketchy wallet add-on again
  8. Reload STRK site (connection to wallet add-on has been lost)
  9. Do reward claim flow again (You’re still authenticated via Oauth. Beware of dark patterns; you don’t need to do any of the crap it asks you to, just skip.)
  10. Profit.

(I initially posted this as a reply to @JulienMalka’s Mastodon post which first informed me of this opportunity but appears to have disappeared?)

I’m not a financial advisor, so I can’t give advice here but I can tell you that I immediately converted the shitcoin to EUR via a commercial exchange (Kraken) because I consider holding the shitcoin to be highly speculative. If I wanted to speculate, I’d rather speculate on the growth of the world-wide economy via an equity index fund than that of a shitcoin but that’s just my opinion.
In case of Kraken, that cost me ~50EUR (deducted from converted tokens). I’d expect other exchanges to have similar exchange fees.

The process for cash out using the Braavos wallet and Kraken is as follows:

  1. Create a receiving STRK address on Kraken (probably works the same on other exchanges)
  2. Click on the STRK token in the main wallet screen
  3. Copy, paste and verify receiving address (doing this wrong will nix your tokens)
  4. Select to pay the fee in STRK (<1STRK IME)
  5. Enter amount - projected fees - a few percent (to account for fee variance)
  6. Send it.
  7. Wait a few minutes

In researching this, I’ve found a couple things you may not want to have to put in hours of research into:

  1. There are accounts of even popular exchanges holding or preventing cash out. Beware.
  2. Any exchange worth its salt will require you to prove your identity in order to cash out. Kraken required two pictures of my government-issued ID (front and back).
  3. Not many exchanges offer STRK/fiat trading. It also must explicitly allow converting FROM the specific shitcoin TO your specific fiat currency. Cases of only allowing the other way or only to certain fiat currencies exist. I only found Kraken, Binance and Bitvavo that allow STRK/EUR conversion and I have no experience with the latter two.
  4. STRK is a standardised kind of shitcoin (ERC20) and those can be swapped for other such shitcoins aswell as less-shit coins (ETH) using automated on-blockchain exchanges like Uniswap. Costs ~30€.
  5. Kraken was quite quick and generally painless for me after figuring out that it didn’t like my custom email domain. (But did like my family’s? Might be because its TLD is that of another country.). YMMV.

All in all, this is sketchy but real. Appropriate measures should be taken and everything should be scrutinised.
That effort is well worth it as it is rewarded with a free ~3300EUR for most Nixpkgs contributors.

9 Likes

I hope the donated tokens are going to be sent to S3 Cache Long Term - Open Collective for transparency?

2 Likes

I also received such an email and am trying to claim now, on a seperate device with a fresh OS install. Lets see how it goes…

Edit: It worked. Holy crap, thank you all, I am going to cash out now :tada:

1 Like

Maybe also cycle GH passwords, gpg keys, ssh keys and whatnot after, just in case the shady browser plugin abuses some kind of exploit somewhere - and don’t ever use the VM you let this thing loose on again.

I imagine quite a few of us use GH OAuth to sign into discourse as well, so even though lots of trusted community members seem to be posting their positive experiences, this could still just be a particularly well-crafted, targeted supply chain attack. The fact that specifically NixOS contributors are targeted gives me the heebie-jeebies. Given project growth, there may well be a sufficient profit incentive that making a shitcoin just to pull off this stunt is worth it.

Hell, we might not even see the effects of it until a year or two down the line if there is an exploit and folks don’t cycle their credentials. We might never notice, I’m sure some of you make enough contributions that sneaking one in somewhere would not stick out to you or others monitoring the repo, and it doesn’t take many compromised contributors to effectively get full merge rights. Even if there is no exploit and most people take reasonable precautions, this might just be phishing for the one person who doesn’t.

5 Likes

gpg keys, ssh keys

Those should be safe if you keep your private keys safe. :wink:
For those who used a VM or even dedicated machine (like me) to do the claim, this should not be of any concern I guess…

Should be, but if you didn’t use a VM and your keys were physically accessible from your home directory (which is pretty common, often even unencrypted, as much as I wish everyone had yubikeys) you’re just relying on the browser sandbox, which I don’t think is the most foolproof, especially when shady addons are involved.

Better to remind people those credentials exist, someone will have clicked through before thinking.

2 Likes

firefox in a virtual machine

1 Like

I’m still struggling to understand this. Someone creates a new cryptocurrency with say, a million tokens. They are going to give away these to anyone who has a GitHub account. But why would any exchange offer non-blockchain fiat currency, especially that which is worth US$3500, to purchase these tokens?

Surely A: the exchange would have already worked out a way of claiming the vast majority of the tokens themselves if they wanted them, and B: the exchange would want to see a bit of real-world activity in the cryptocurrency before assigning such a high value to the token. Or is this new cryptocurrency somehow backed by an existing, non-crypto currency already?

You can’t establish a network (blockchain here) without any member. Cryptocurrency Airdrop: What Is It and How Does It Work Could also be similar to free sample of some new product, so people could try it for free, spread the word etc… in that case, it’s just the speculation around it was quite spectacular, resulting in high trading price. Otherwise, 1 STRK would only be worth of 1 STRK, if no one would have interest in it.

I could create my own block chain, give away 1 billion token per user, and it would be basically worthless until someone wants to pay for it because it gives access to something useful (that’s the purpose of a blockchain).

I refer to tokens and not cryptocurrency, because some blockchains were made to be used as currency, but that’s not really what a blockchain is about. Blockchains requires tokens to be used for a purpose, like you need a token to use a car washer, the token gets a real world value because it can be used for something useful (like a token to wash your car).

I don’t really know the conditions for Starknet, some people got 111 tokens (not nix contributors), so maybe they have a maximum aidrop per github account (which isn’t the only way to obtain tokens here, ethereum regular users were also eligible from what I’ve quickly read), and depending on the popularity of the project you contributed to, you get a certain tier :woman_shrugging:

1 Like

This is probably a misunderstanding. This is aimed at people who contributed to a top 5000 GitHub repo and that category obviously includes Nixpkgs.

Now, that might still be of concern but it’s not an attack targetted at Nixpkgs specifically.

As @Solene mentioned, there are also other ways to get the shitcoin; being a top 5000 Github contributor is just the most lucrative and relevant one to us.

Exchanges are just places that allow individuals to trade with another. They’re not buying those tokens for themselves; they buy them in order to facilitate trade between people. They play the middle man.

Now, the individuals who do purchase shitcoins for real money do so because they believe (for whatever misguided reason) that this shitcoin will be worth more than the real money in the future.

3 Likes

The GitHub data is here: https://github.com/starknet-io/provisions-data/tree/main/github. The largest amount that some GitHub handles received was 13911.1 tokens (27404 USD at the time of writing) and 111.1 was the smallest.

4 Likes

Ah, thanks for the explanations @Solene, @Atemu. I had assumed that the exchange was in some way directly involved in the speculation for themselves.

1 Like

Positivity for this roundabout way of supporting developers concerns me. Does this not invite real scams against this community?

4 Likes