The bid you didn't realize you placed

January 2025. A holder in Brooklyn lists three CryptoPunks on Blur for a flash sale. A few days later, a Discord member messages him with an "exclusive collector offer" via a custom signing flow on a "Blur Pro" site. The signature he is asked to provide is a Blur bid permit at 0.1 ETH for each Punk.

The bids are accepted instantly. Three Punks at floor of 38 ETH each leave the wallet for 0.1 ETH each. Loss: 113.7 ETH, or approximately $230,000 at the time.

Why Blur bid permits are the worst attack surface in NFTs

Blur lets users place bids by signing off-chain messages with EIP-712. The seller does not need to broadcast anything. A scammer who tricks you into signing a malicious bid permit can then accept that bid themselves — using a wallet they control as the buyer — and drain the NFT at the price you "agreed" to.

The five tells

  • The signing site is not blur.io. "Blur Pro," "Blur Plus," "Blur OTC" are all fake. Bid management happens only on blur.io.
  • The bid amount is wildly below floor. Real collectors do not message you offering 0.001 ETH for a 30 ETH NFT.
  • The signature shows the NFT contract address. If the typed-data prompt references your Punks contract and a tiny price, that is the exploit happening live.
  • Urgency on a Discord DM. "Offer expires in 10 minutes" exists to skip the verification step.
  • Discord IDs are spoofed. A scammer can impersonate the Blur team handle with a one-character difference.

The recovery checklist

If you signed: go to Blur's own approval-management page (blur.io/settings) and revoke all pending offers. Then move every NFT in the affected wallet to a fresh wallet. Then disable bid acceptance entirely until you understand what you signed.

The standing posture

Treat every NFT marketplace signature like a contract you are about to sign in real life: read it, name the counterparty, name the price, name the duration. If any of those three blanks are unfilled, refuse.