Rescuing NFTs from Compromised Ethereum Addresses: aradhwin.eth & samuraizan.eth

The Backstory:

On 13 September, a Twitter user shared the distressing news of their account being hacked due to a compromised seed phrase.

https://twitter.com/samuraizann/status/1701875884217749515

While the damage was done, there were still valuable NFTs trapped in the compromised address. The challenge? Transferring these assets would require gas, which would be instantly deducted by a notorious "Sweeper Bot" as soon as it's sent to the compromised address.

🌊 Dive deeper into the world of Sweeper Bots: What are Sweeper Bots?

The Rescue Mission:

To outsmart the Sweeper Bot, we turned to flashbots private transactions. These transactions are bundled and hidden from the public mempool. In layman's terms, we sign multiple transactions and execute them all at once in a single block. The first transaction in this bundle sends ether to the compromised address.

The sequence of events:

Transfer ETH to the compromised address.
Initiate a transaction to rescue the NFT or ERC20 from the compromised address.
Repeat step 2, ensuring the nonce is increased.
Simulate the transaction and, upon successful simulation, execute it on the mainnet.

The Rescue in Action:

Using the aradhwin.eth address as a case study (though the steps are universal):

Compromised Address: 0xE7a98f3AeAf30Ff2A1a40839115067D1Fb2174ff

Attacker Address: 0x875C02095ABB53428aa56A59FE6C8E712F48C762

Execution:

Transfer of ETH to the compromised account

Ethereum Transaction Hash (Txhash) Details | Etherscan

Transaction to transfer the ENS NFT