Signatures and Approvals

Invalidate Signatures on Marketplaces

4 minutes

Nov 30th, 2022 - 14:02 pm

Edited By:

Hey everyone,

In today's article, we will be covering the option to invalidate the signatures we gave out to marketplaces.

What for?

We pre-approve our collections by signing an “Set Approval For All” to the marketplace contract. To create a listing, we only need to sign a gasless signature like this:

2022-11-30 14_45_03-Extension_ (MetaMask) - MetaMask Notification — Mozilla Firefox.png

Seen this kind of request on a mint / claim website and possibly signed it? Yikes!

If your assets haven't been taken yet - there's still time to act.

Sidenote: Yes, it’s possible to steal multiple NFTs from different, approved collections with a signature like the above.

The signature offers ALL of your current approved collections (to a contract like OpenSea Seaport / Wyvern) for a 0 ETH private sale to the malicious wallet / contract. This affects the wallet address you’re signing the request with.

2022-11-30 14_51_19-Clipboard.png

The easiest way not to get hit by this is to remove all approvals. Because without open approvals to the specific contract they are exploiting, there's no chance they can steal them that easy.

Make sure to check your approvals on the regular and remove those, you don't need any more. This is especially true for old Opensea approvals - displayed as OpenSea (old) on revoke(.)cash.

How to revoke approvals? Click here to be redirected to another article. We got you!

Now, what to do if you've signed a signature but you still had open approvals? How do you invalidate a listing signature to a marketplace?

To do this, we need to write to the OpenSea contract on etherscan.io.

Contract addresses:

OpenSea Seaport 1.1

OpenSea Wyvern Exchange v2 (old)

On Etherscan, search for the contract address you want to invalidate / nuke all your listing / order signatures to.

For the OpenSea Seaport 1.1 contract:

Click on Contract > Write contract. Connect your wallet (green bubble).

Navigate to “incrementCounter” (on the Wyvern v2 contract, this is called incrementNonce - see below).

What this will do: Cancel all orders / listings from a given offerer with a given zone in bulk by incrementing a counter.

For the OpenSea Wyvern Exchange v2 (old) contract:

Click on Contract > Write contract. Connect your wallet (green bubble).

Navigate to “incrementNonce” (on the SeaPort contract, this is called incrementCounter - see above).

What this will do: Cancel all orders / listings from a given offerer with a given zone in bulk by incrementing a counter.

A simplified version of what we're doing here:

This increments a nonce, which is a random number only used ONCE — to prove that data has only been submitted once to the blockchain.

This will make ALL of your previous listings / offerings to the contract INVALID.

Once you connect your wallet to etherscan.io and hit that write button, you will generate a newer, fresher nonce that gets written into the blockchain.

If someone tries to act on the old “malicious offer signature” that you got tricked into, it gets rejected because the nonce on the “malicious” signature doesn’t match with the newest one.

Once you click write, this will call a transaction on chain, confirming it will cost a small gas fee. Now all listings to the specific contract from this wallet address are invalid!


Congrats, that’s it! You nuked all your listings to the contract you’ve just written to.

Whether it was a malicious listing signature or not, the offers cannot be executed anymore.
You can start fresh from here and just pay attention to what you’re signing.

Thanks for your time — stay safe!

Special thanks to 0age: The maindev of the SeaPort protocol, who helped me create this How To. You can follow him on twitter here.

You can also listen to a video tutorial on this topic through my YouTube channel here.


Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join us in our discord at https://discord.gg/boringsecurity .