A forensic look at the "fractional ownership in domains" NFT marketplace — specifically what its Connect Wallet button asks you to sign, and whether the site is malicious. Nine agents tore the bundle and all 35 lazy chunks apart, then three more tried (and failed) to refute the verdict. The short answer: nothing is signed at connect, and it is not a wallet drainer — but it is a negligent, half-dead project you should not use.
Not an active wallet-draining scam. Connecting signs nothing, no drainer payload exists in the code, it is on no blocklist, and there are no victim reports. Three independent red-team lenses tried to break that conclusion and could not.
But "not a drainer" is not the same as "safe." It is a broken, centralized, leaky project.
The backend is dead (every /api/api/* endpoint returns 502), the
NFT metadata layer is dead (IPFS returns 401), the "Ethereum" path points at
the long-sunset Goerli testnet, a live write-capable Pinata API key
and a client-side admin login of OTP "1234" are hardcoded in the bundle, and the
one real contract is an upgradeable proxy owned by a single private key. You
cannot lose funds to a signature at connect — but buying anything is non-functional, and the
operator is negligent enough that connecting at all is a bad idea.
The connect button, the WalletConnect option, and the "ConnectViaWhatsApp" variant were all traced to their handlers in the minified bundle and verified byte-for-byte. The flow is the same in every case.
eth_requestAccounts — your wallet reveals your address, with no signature prompt. The app then POSTs that bare address to its login API and shows a "Signin Successful!" toast that is not backed by any signature.
No personal_sign, no signTypedData, no SIWE / "Sign in to…" message, and
no nonce. The backend has no /nonce, /sign, or /verify
endpoint — it simply trusts the address the wallet reports. (Note: that is itself a security flaw
on the operator's side — anyone can impersonate any address — but it does not endanger the
connecting wallet's funds.)
activate(InjectedConnector) → eth_requestAccounts (address reveal only)wallet_address → https://braands.io/api/api/login → JWT stored in cookieactivate(WalletConnectConnector), then reads accounts from localStorage{sid, wallet_address} to /whatsapp/connectwallet, redirects to a WhatsApp chat — no signaturesetApprovalForAll / approve / eth_sendTransaction exist only inside the buy/auction flow, gated behind an explicit action — never at connectactivate() — no signing call followsV is destructured as activate from useWeb3React; lt is the InjectedConnector. The entire handler is activate + a toast.
The login function builds a FormData containing only wallet_address, POSTs it, and stores the returned JWT. No signature field anywhere in the request.
Zero app-level hits for signMessage, signTypedData, signTypedData_v4, "Welcome", "Sign in to", or SIWE. The 2 personal_sign matches are web3.js method-registry entries, not calls.
Full endpoint surface: /login, /register, /getuser, /profile, /newsletter, /whatsapp/connectwallet. No /nonce, /sign, /auth, or /verify — confirming no signature flow.
One agent adversarially downloaded all 35 lazy-loaded chunks (1.81 MB total) and grepped each for drainer signatures, hidden recipient addresses, and obfuscation. The red-team static-code lens then re-ran the hunt independently. Both concluded: no drainer, no malware.
Zero hardcoded target addresses across all 35 chunks — a drainer must embed one.
Permit2, seaport, inferno, pink, monkey, ice-phishing — all absent.
No app-level eval / new Function / atob. Library internals only.
A wallet drainer must embed a recipient/target address somewhere in its code. Across all 35 chunks, grep '0x[a-fA-F0-9]{20,}' returns nothing. The 5 project contracts live only in the main-bundle config.
setApprovalForAll, safeTransferFrom, approve(, increaseAllowance, transferFrom — zero hits in every chunk. The only signing strings present live in chunk 182, which is the WalletConnect provider library.
balanceOf calls are inventory display, not a "scan-then-drain"Chunk 748 (the "My NFTs" dashboard) reads the user's own tokens read-only (.call()) to show inventory. It issues zero transfer / approve / sendTransaction calls.
createElement("script") in chunk 277 = react-recaptcha loader; iframe in 390 = react-lite-youtube-embed; navigator.clipboard in 177/523 = copy-share-link; wallet_switchEthereumChain only in the WalletConnect provider. No document.write, no remote-script injection.
The webpack runtime chunk-map lists exactly 35 chunks; import( count in the main bundle is 0. There is no extra code loaded beyond what was scanned.
Of the five "custom contracts" the initial scan flagged, four are false positives (truncated genesis-block hashes embedded by ethereumjs, and a secp256k1 curve constant). Only one is real — and it is an upgradeable proxy under a single key, sitting on a network path that mostly doesn't work.
0xe3a5284e979e1a60ed0abc1841070144057b989f on Polygon — name "Braands.io" (BRD), EIP-1967 TransparentUpgradeableProxy0x475bb1f7fce50ab4bad7090ce5f6b4e10601e7d00xa8dc7ed4331041471152d67d70fe3d09d3996fac0x380dcDe4…5848A6 — no code on mainnet; config binds it to Goerli (chainId 5, dead since 2023)braands.infura-ipfs.io → 401; token CIDs → 504 no providers (orphaned)The proxy's owner() and the ProxyAdmin.owner() resolve to the same EOA. That key can upgrade the logic, mint unlimited supply (super_mint), and rewrite any token's metadata URI (setUrl) at will.
The red-team extracted all 71 dispatcher selectors from the implementation bytecode and diffed them against the 82-entry frontend ABI. The only unexplained selector (0x0e89341c) resolves to uri(uint256), which is in the ABI. Zero hidden functions: no selfdestruct, no sweep, no arbitrary transferFrom, no honeypot tax.
The "ETH" contract has no code on mainnet and only ever lived on Goerli (now sunset). The IPFS gateway returns 401 and the token CIDs return 504 — so NFT metadata cannot resolve. The dApp is effectively Polygon-only and even there sees ~no use.
There is currently 0 MATIC in the contract and no withdraw function exists in the ABI — so even the all-powerful owner cannot sweep a balance without a future upgrade. This is a future-rug capability, not a current drain. It does not change the verdict, but it is the single biggest reason not to buy and hold these tokens.
The domain is four years old and run by an identifiable (if small) Indian development shop — which actually argues against it being an anonymous drainer. But it is hosted on a bare shared VPS with no protections, next to some less-savory neighbours.
38.225.206.93, Delhi, India (AS150654 Kennies Star); nginx/1.24.0 directly, no CDN / WAFsimplicitylabs.org — a Gurugram Web3/AI dev agency (real LinkedIn, real clients)Reverse-IP on the server lists co-hosted projects including mlm-admin-echobit, ecotrader, enterx, gaanagpt and rhoof.io, alongside simplicitylabs.org. MLM/trading adjacency is a yellow flag, though no corroborated fraud report names the agency.
The domain was publicized via a BusinessWire press release (CEO Arjun Mishra, Gurugram) in Jan 2023, but the current server's first TLS cert is April 2025 — the project was parked or migrated. A real press release and a four-year-old domain are mild positive signals versus a fresh throwaway scam domain.
braands.infura-ipfs.io resolves to real Infura/AWS IPs but returns 401 — Infura deprecated its IPFS product in 2024. Stale infrastructure, not malicious.
An independent sweep across blocklists, scan engines, and community forums found no scam classification and no victim reports. The red-team reputation lens confirmed this against the raw blocklist files directly. The honest caveat: absence of reports is weak evidence on its own — but here it is corroborated by the empty contract and the nothing-signed-at-connect flow.
Grepped the raw source of CryptoScamDB, ScamSniffer, MetaMask eth-phishing-detect, PocketUniverse/PhishFort, and EtherAddressLookup — zero hits on all five. An active drainer is almost always on at least one.
3 scans since 2022 (none since Apr 2024), each with an empty verdicts object — no engine flagged it malicious. urlvoid has no report at all.
No threads on Reddit (r/NFT, r/CryptoScams, r/Scams), no Trustpilot page, no Chainabuse report, no hits for the contract address in scam contexts. The only negative web result ("forexroboteasy.com dismal rating") is auto-generated SEO spam, not a real review.
Real BusinessWire press release (paid, but real), LinkedIn page (265 followers), live Twitter/Facebook, and an OpenSea collection (braands-domains-polygon) marketing cheap .online/.host domains. Consistent with an over-marketed, near-dormant side-project — not a thriving market.
This is where the picture turns from "benign" to "negligent." The site doesn't steal from visitors, but it leaks live credentials and ships a fake admin panel. These are the operator's problems, but they are exactly why you shouldn't trust the platform with anything.
Verified live against Pinata's API (HTTP 200). Anyone can pin/unpin IPFS content on Braands' account — enabling NFT-metadata defacement or storage abuse.
The /admin route is reachable (HTTP 200). Auth is if (otp === "1234") { Cookies.set("adminusername", email); go("/admin/dashboard") } — fully readable in the exposed sourcemap. No server check; anyone can set the cookie and enter.
main.41b471ce.js.map (HTTP 200) contains sourcesContent — the original TS/JSX for 113 app files, including the admin auth. Everything above was readable because the operator shipped the sourcemap.
Every /api/api/* endpoint (login, register, profile, getdomain, newsletter) returns 502 Bad Gateway. The frontend is alive but the backend is gone — so login/buy/checkout all fail.
Infura IPFS project ID + secret are in the config; the live "ETH" RPC points at Goerli (dead). Local endpoints (localhost:8500, localhost:8545) leaked into the production build.
React 17.0.2 (Feb 2021), ethers v5, web3.js 1.x, moment.js; 7+ dead testnets still referenced (Ropsten/Rinkeby/Goerli/Kovan/Mumbai/Arb-Rinkeby/Opt-Kovan). Reads as ~2021–22 code that was abandoned, then parked on a fresh server in 2025.
No hardcoded private keys, mnemonics, or seed phrases in app code. All privateKey references are web3.js keystore internals — one small reassurance.
Connecting will not drain your wallet (nothing is signed, no drainer payload exists, it is on no blocklist). But connecting does hand your address and IP to a negligent operator, and the product itself is non-functional (dead backend, dead metadata, single-key upgradeable contract, live leaked secrets). There is no good reason to connect or transact here.
What this means for you:
setApprovalForAll granted to 0xe3a5…989f on Polygon (e.g. via revoke.cash). The contract is upgradeable under one key.
Static analysis of the live production bundle (main.41b471ce.js, 2.6 MB) plus all 35
lazy webpack chunks (downloaded from /static/js/{id}.{hash}.chunk.js using the runtime
chunk-map — 1.81 MB total, zero hidden loaders). Wallet-flow handlers were traced byte-for-byte in
the minified code and cross-checked against the exposed sourcemap. The backend API surface was
enumerated from the bundle and probed live.
On-chain checks were done over public RPC (Polygon / BSC / Ethereum): eth_getCode,
eth_getStorageAt on the EIP-1967 slots, eth_call for owner() /
name() / symbol(), implementation-selector extraction and diff against the
frontend ABI. Domain/infra via WHOIS, DNS, crt.sh, reverse-IP, and TLS inspection. Reputation via
raw greps of CryptoScamDB, ScamSniffer, MetaMask eth-phishing-detect, PocketUniverse/PhishFort,
and EtherAddressLookup blocklists, plus urlscan.io and community forums.
An adversarial red-team pass then tried to refute the headline verdict from three lenses —
static code, on-chain/contract, and reputation/intel. All three returned can_refute: false
at high confidence. Reported honestly: a full historical on-chain log sweep (2022→present) could not
be completed because public RPCs cap eth_getLogs ranges — so 2022–23 mint activity
cannot be 100% excluded, though all other evidence points the same way.