Following a spate of NFT scams on social networks, MetaMask adds an additional step that could help users avoid attacks by ” wallet drainers.”
Social media scams are booming in the NFT space, with Twitter and Discord users being tricked into connecting their cryptocurrency wallets to malicious smart contracts and having their NFTs and other tokens stolen as a result.
Metamask’s wallet has been updated
Now, Ethereum’s main wallet, MetaMask, has updated its interface to try to help users recognize and avoid these scams.
MetaMask released a new 10.18.0 update to the wallet this week, which includes a change to the way the software presents a requested setApprovalForAll permission.
Granting that permission allows the smart contract code that powers NFTs and decentralized applications the ability to access and transfer all NFTs and tokens in a wallet.
Following the update, as noted by security firm Wallet Guard on Twitter, MetaMask now makes it clearer that a smart contract requests broad permissions, including access to any funds found in the wallet a feature that can be used for so-called “wallet drainer” exploits.
.@Metamask 10.18.0 is out 🙌
This update includes the much-needed emphasis for when a transaction is requesting "Set Approval For All"
Kudos to the team for addressing this quickly pic.twitter.com/zWHVVPszzR
— Wallet Guard (@wallet_guard) July 27, 2022
Screenshots posted on MetaMask’s GitHub software development repository GitHub show a new prompt that uses a larger font than the rest of the interface.
The sample text reads, “Give permission to access your entire BAYC?” (or Bored Ape Yacht Club), with an additional warning that reads, “By granting permission, you are allowing the following account to access your funds.”
MetaMask software engineer Alex Donesky wrote on GitHub on June 22 that “there is some urgency to get something out, as this method is widely used.” He also added that the “timeline is compressed,” and admitted that it wasn’t how he would approach the change if there was more time to develop it.
Hacked social network scams
This update comes on the heels of a spate of scams spread primarily through hacked social media accounts. In the spring, the verified accounts of numerous Twitter users were hijacked and used to share scam links inspired by prominent NFT projects such as Azuki and Otherside, and to steal the NFTs and tokens of users who unknowingly connected their wallets to smart contracts.
More recently, the Twitter accounts of several notable NFT projects and collectors were hacked to share similar types of links, billing them as a delivery of free NFTs or tokens.
These scams have also occurred through hacked Discord and Instagram accounts. This has led to a debate over whether creators and projects should compensate users who lose assets through these scams.
Earlier this month, NFT drop registration platform Premint was hit by a hack of its website that used the setApprovalForAll feature to steal a number of valuable NFTs and tokens from affected users.
In the end, the company refunded users more than $500,000 in ETH, and also purchased and returned a couple of valuable collectible NFTs.
“The user interface of the most popular wallets needs to be drastically improved to make it nearly impossible for someone to connect to a wallet drainer,” said Premint founder Brenden Mulligan, “this is a fixable problem, but it’s crazy that it’s so easy to drain a wallet and there aren’t more warnings to protect people.”
To be clear, the MetaMask update makes no judgment about the contract users are trying to connect to, and does not specifically call out the scams identified.
Furthermore, there are potentially legitimate uses for the setApprovalForAll function for certain dapps, such as in NFT markets, which only further confuses the user’s decision.
Still, the MetaMask update could help minimize the impact of scams. Some NFT collectors who have fallen for such scams on social media have been accused of recklessly approving trades due to FOMO and the speculative frenzy around NFTs, and this additional step could give users pause and a chance to reconsider their actions.
Solana has a similar feature (signAllTransactions), and a notable NFT collector just fell victim to such a scam via his Phantom wallet.
MonkeDAO’s pseudonymous co-founder Nom tweeted last night how his wallet was drained in an attack when he interacted with a smart contract he thought was secure.
Follow us on our social networks and keep up to date with everything that happens in the Metaverse!.
Twitter Linkedin Facebook Telegram Instagram