In short
- Ethereum wallet MetaMask has been updated to make users more aware of what they are signing when a certain permission is requested.
- This feature is widely used in social media scams that have seen users lose millions of dollars worth of NFTs and tokens.
Social media scams are boom in the NFT areawith Twitter and Discord users tricked into linking to crypto wallets to maliciousness smart contracts– and have theirs NFTs and other tokens were swiped as a result. Reach the top Ethereum wallet, MetaMaskhas updated its interface to try to help users recognize and avoid such scams.
MetaMask released a new 10.18.0 update to its wallet this week, which includes a change to the way the software presents a requested setApprovalForAll permission. Granting that permission allows smart contractβthe code that drives NFTs and decentralized appsβ the ability to access and transfer all NFTs and tokens in a wallet.
After the update, like the security company Wallet Guard noted on TwitterMetaMask now clarifies that a smart contract requests broad permissions, including access to all funds held in the wallet β a feature that can be used for so-called “wallet drainer” exploits.
Screenshots posted on MetaMask’s GitHub software development repository show a new prompt that uses a larger font than the rest of the interface. The sample text reads: “Give permission to access your entire BAYC?” (or Bored Ape Yacht Club), with an additional warning: “By giving permission, you give the following account access to your money.”
MetaMask software engineer Alex Donesky wrote on GitHub on June 22 that “there is some urgency to get something out there since this method is so commonly used.” He also added that the “timeline is compressed”, admitting that this is not how he would approach the change if there was more time to develop it.
In fact, the update comes after a rash of scams spread mainly via hacked social media accounts. In the spring, verified accounts of many Twitter users were hijacked and is used to share scam links inspired by prominent NFT projects such as Azuki and The other sideand steal NFTs and tokens of users who unwittingly linked their wallets to smart contracts.
Recently, the Twitter accounts of various NFT projects and notable collectors were hacked to share similar types of links, billing them as a free NFT or token drop. Such scams have also taken place via hacked Discord and Instagram accounts. It has led to a debate about creators and projects shall compensate users who lose assets via such fraud.
Earlier this month, NFT slip registration platform Premint was affected by a website hack that used the setApprovalForAll function to steal a number of valuable NFTs and tokens from affected users. Ultimately, the firm compensated users in magnitude over 500,000 USD in ETHand bought back and returned a couple of expensive NFT collectibles as well.
“The user interface of the most popular wallets needs to be drastically improved to make it almost impossible for someone to connect to a wallet tapper,” Premint founder Brenden Mulligan told Decrypt last week. “This is a solvable problem, but it’s crazy that it’s so easy to empty a wallet and there aren’t more warnings in place to protect people.”
To be clear, MetaMask’s update does not make any judgment calls about the contract that users are trying to connect to, and does not specifically call out identified scams. Furthermore, there are potentially legitimate uses for the setApprovalForAll feature for certain dapps, such as in NFT marketplaces, which only further confuses the user decision.
Still, the MetaMask update can help minimize the impact of fraud. Some NFT collectors who have fallen for such social media scams have been accused of recklessly approving transactions due to FOMO and speculative frenzy surrounding NFTs, and this extra step may give users pause β and an opportunity to reconsider their actions .
We will see if MetaMask takes this new feature forward in future updates, as well as if competing wallets will adopt similar techniques. After all, scams are not limited to MetaMask users, nor to Ethereum. Solana has a similar feature (signAllTransactions) and a notable NFT collector just fell victim to such a scam via his Phantom wallet.
The pseudonymous one co-founder of MonkeDAO, Nom, last night tweeted about how his wallet was drained in an attack when he was interacting with a smart contract he thought was safe to use. Nom wrote that he lost about 500 SOL (about $20,200) and NFTs including one from Solana Monkey Businessas the attacker then sold for 197 SOL ($7,736).
Stay up to date on crypto news, get daily updates in your inbox.
