One day, Alice was scrolling through an NFT marketplace and suddenly saw a listing with rare attributes. Moreover, the listed price is even lower than the floor price. Alice got suspicious; the price of this rare NFT should be higher than listed. Something must be wrong.
Alice began verifying the listing details but found that everything was correct. Nothing came out suspicious from the listing. Alice thought the seller had urgent liquidity issues, so they decided to list at such a low price. It must be lucky for her to notice the listing first.
Alice clicks the purchase button, and the transaction source code pops up. After verifying there's no malicious code, she signs the transaction, and it succeeds.
Filled with excitement, Alice checks her collection to view the purchased NFT. Out of surprise, there are no new NFTs added there.
Alice refreshed the webpage and reauthenticated it multiple times, but the NFT is still not showing. After checking in with others, Alice confirmed that she got scammed. Her token balance got deducted, so the transaction must have succeeded, right?
Alice's computer is not infected by malware, nor visited a phishing NFT marketplace site. Alice decides to check back the listing. To her surprise, the listing still shows even though she bought it! How could this happen? Did a bug occur in the marketplace, or was there an issue in the signed transaction?
Meanwhile, Bob, the attacker, receives a sweet payment from Alice. Bob makes an evil laugh while continuing to list rare NFTs to lure more victims.
Sure! Let’s start by looking at a successful marketplace transaction.
In this transaction, I am purchasing an NFT called FlovatarComponent with its token identifier value of #107880. Notice the pink rectangle highlighted above, this means that the NFT is successfully deposited into my address 0x074a02ade9585309.
For comparison, here is the transaction when purchasing a fake NFT listing.
Notice that there are no NFTs deposited into my account even though I paid 5 FLOW tokens for it.
Additionally, you can verify that both signed transactions are the same.