Social media scams arebooming in the NFT space, with Twitter andDiscord users dupedinto connecting their cryptowalletsto malicioussmart contractsâand having theirNFTsand other tokens swiped as a result. Now the topEthereumwallet,MetaMask, has updated its interface to try and help users recognize and avoid such scams.
MetaMask released a new 10.18.0 update to the wallet this week, which includes a change to the way that the software presents a requested setApprovalForAll permission. Granting that permission allows thesmart contractâthe code that powers NFTs anddecentralized appsâthe ability to access and transfer out all NFTs andtokensin a wallet.
Following the update, as security firm Wallet Guardnoted on Twitter, MetaMask now makes it clearer that a smart contract is requesting broad permissions, including access to any funds held within the walletâa function that can be used for so-called âwallet drainerâ exploits.
Screenshots posted to MetaMaskâsGitHub software development repositoryshow a new prompt that uses a larger font than the rest of the interface. The example text reads, âGive permission to access all of your BAYC?â (orBored Ape Yacht Club), with an additional warning reading, âBy granting permission, you are allowing the following account to access your funds.â
MetaMask Software Engineer Alex Donesky wrote on GitHub on June 22 that âthere is some urgency to get something out there since this method is so commonly used.â He also added that the âtimeline is compressed,â and admitted that it wasnât how he would approach the change if there was more time to develop it.
Indeed, the update comes following a rash of scams that are primarily spread via hacked social media accounts. In the spring, verified accounts of numerousTwitter users were hijackedand used to share scam links inspired by prominent NFT projects like Azuki andOtherside, and steal the NFTs and tokens of users who unwittingly connected their wallets to the smart contracts.
More recently, the Twitter accounts of various NFT projects and notable collectors were hacked to share similar types of links, billing them as a free NFT or token drop. Such scams have taken place via hacked Discord and Instagram accounts as well. It has led to a debate over whether creators and projectsshould compensate userswho lose assets via such scams.
Earlier this month, NFT drop registration platform Premint was impacted by a hack to its website that used the setApprovalForAll function tosteal an array of valuable NFTs and tokensfrom affected users. Ultimately, the firm reimbursed users to the tune ofover $500,000 worth of ETH, and bought back and returned a pair of pricey NFT collectibles as well.
âThe user interface for the most popular wallets need to be drastically improved to make it near impossible for someone to connect to a wallet drainer,â Premint founder Brenden MulligantoldDecryptlast week. âThis is a solvable problem, but itâs batshit crazy that itâs so easy to drain a wallet and there arenât more warnings in place to protect people.â
To be clear, MetaMaskâs update does not make any judgment call about the contract that users are attempting to connect to, and does not specifically call out identified scams. Furthermore, there are potentially legitimate uses for the setApprovalForAll function for certain dapps, such as on NFT marketplaces, which only further muddles the user decision.
Still, the MetaMask update could help minimize the impact of scams. Some NFT collectors who have fallen for such social media scams have been accused of recklessly approving transactions due to FOMO and speculative frenzy around NFTs, and this extra step might give users pauseâand an opportunity to reconsider their actions.
Weâll see whether MetaMask takes this new feature further in future updates, as well as whether competing wallets will adopt similar techniques. Scams arenât limited to MetaMask users, after all, and not to Ethereum either.Solanahas a similar function (signAllTransactions), and a notable NFT collector just fell victim to such a scam via hisPhantom wallet.
The pseudonymousco-founder of MonkeDAO, Nom, last nighttweetedabout how his wallet was drained in an attack when he interacted with a smart contract that he thought was safe to use. Nom wrote that he lost about 500 SOL (about $20,200) and NFTs including one fromSolana Monkey Business, which the attacker thensold for 197 SOL($7,736).
https://decrypt.co/106164/metamask-ethereum-wallet-update-help-thwart-nft-scams?amp=1