I Hacked Foundation.app — but you should still use their platform.

17th March 2021

The story of my Foundation Hack and how to protect yourself.

On March 14th, around Midnight I dropped my latest NFT, a record of my Foundation.app Hack I released along with it:

Foundation is a platform that provides minting services as well as a marketplace for artists. Its number of daily users exploded in the last weeks as a considerable number of non-crypto artists looking for ways to enter the lucrative NFT space. Like most platforms and websites nowadays, Foundation allows its users to set up a profile page including an avatar and a cover image. Do you see where this is going? There’s one rule in Cybersecurity…

Don’t trust user input.

Allowing users to display an image on your websites means that at some point they retrieve data sent by the user and display it on their webpage. You’d be surprised at how many websites thus create breaches in their own systems.
How a hacker can take advantage of user input to take over your browser

User input should always be cleaned up before being displayed when someone wants to lookup a profile. There only needs to be one oversight.

The Artwork

Instead of sending an image link to their server I instead sent them what allowed an Injection. basically getting complete control over what your browser does when looking up my profile. 

The Artwork I displayed as a digital graffiti on Foundation

Worried? You should be, this can and is used by hackers to get access to user accounts. But I’ve got good news ! In fact, I’ve got brilliant news for you ! Let’s get to why you should still use Foundation.app (& others) !

3 Simple Rules to Secure your Assets

Securing your assets should always be your highest priority

Ok, I know, I’ve made the web very scary right now. But don’t leave yet ! Because this is where I drop some knowledge. 

Rule 1

| Not your keys, not your wallet.

I know I know, this one is quite known ! And yet, I still see people forgetting about it. Let’s take Nifty Gateway as an example, they use deposit accounts to let you buy an artwork. Meaning that to spend your ETH they don’t ask for your signature but use a wallet which they own. Besides the advantages this provides, it has huge security implications. See this twitter user who got all his assets stolen yesterday after having his password most probably leaked in a data breach somewhere (Nothing the platform could have done !). You shouldn’t stop using Nifty Gateway (I myself own an NFT there), but please, do not leave your credit card details, NFTs or even full ETH accounts there for hackers to grab, especially if you don’t use a password manager (I see you, I know you use the same password everywhere !). Get everything out once your purchase is done and you’ll be safe !

Rule 2

| Don’t ever disclose your private keys/seed phrase

I know, I know. Nahiko ? AGAIN ? Dude, your rules are basics ! Yes, they are. But Phishing is still the main reason why people get their ETH stolen. Remember to always make sure the URL you’re visiting is legit, especially before setting up a new wallet or buying NFTs. A good way to do this is accessing the webpage from the company’s socials.

Rule 3

| Read what you sign

Transactions are to web 3 what Terms & Services are to web 2. Nobody reads them ! But you should and here’s why. If I get access to a webpage the same way I was able to, earlier in this article. Nothing stops me from having the website ask metamask to send the ETH to me and not to the artist who you buy an artwork from. To be transparent, there’s a very low chance of this happening, but trust me and check the transactions you sign.


All in all, as usual, security relies mostly upon one stakeholder in all that. And it’s not the platform, nor the wallet provider, and not even your computer. It’s you.

Share this article: