29/07/2022 This MetaMask Ethereum Wallet Update May Help Thwart NFT Scams

Following a rash of social media NFT scams, MetaMask adds an extra step that could help users avoid “wallet drainer” attacks.

metamask-nfts-bored-apes-gID_4.jpeg

Social media scams arebooming in the NFT space, with Twitter andDiscord users dupedinto connecting their cryptowalletsto malicioussmart contracts—and having theirNFTsand other tokens swiped as a result. Now the topEthereumwallet,MetaMask, has updated its interface to try and help users recognize and avoid such scams.

MetaMask released a new 10.18.0 update to the wallet this week, which includes a change to the way that the software presents a requested setApprovalForAll permission. Granting that permission allows thesmart contract—the code that powers NFTs anddecentralized apps—the ability to access and transfer out all NFTs andtokensin a wallet.

Following the update, as security firm Wallet Guardnoted on Twitter, MetaMask now makes it clearer that a smart contract is requesting broad permissions, including access to any funds held within the wallet—a function that can be used for so-called “wallet drainer” exploits.

Screenshots posted to MetaMask’sGitHub software development repositoryshow a new prompt that uses a larger font than the rest of the interface. The example text reads, “Give permission to access all of your BAYC?” (orBored Ape Yacht Club), with an additional warning reading, “By granting permission, you are allowing the following account to access your funds.”

MetaMask Software Engineer Alex Donesky wrote on GitHub on June 22 that “there is some urgency to get something out there since this method is so commonly used.” He also added that the “timeline is compressed,” and admitted that it wasn’t how he would approach the change if there was more time to develop it.

Indeed, the update comes following a rash of scams that are primarily spread via hacked social media accounts. In the spring, verified accounts of numerousTwitter users were hijackedand used to share scam links inspired by prominent NFT projects like Azuki andOtherside, and steal the NFTs and tokens of users who unwittingly connected their wallets to the smart contracts.

More recently, the Twitter accounts of various NFT projects and notable collectors were hacked to share similar types of links, billing them as a free NFT or token drop. Such scams have taken place via hacked Discord and Instagram accounts as well. It has led to a debate over whether creators and projectsshould compensate userswho lose assets via such scams.

Earlier this month, NFT drop registration platform Premint was impacted by a hack to its website that used the setApprovalForAll function tosteal an array of valuable NFTs and tokensfrom affected users. Ultimately, the firm reimbursed users to the tune ofover $500,000 worth of ETH, and bought back and returned a pair of pricey NFT collectibles as well.

“The user interface for the most popular wallets need to be drastically improved to make it near impossible for someone to connect to a wallet drainer,” Premint founder Brenden MulligantoldDecryptlast week. “This is a solvable problem, but it’s batshit crazy that it’s so easy to drain a wallet and there aren’t more warnings in place to protect people.”

To be clear, MetaMask’s update does not make any judgment call about the contract that users are attempting to connect to, and does not specifically call out identified scams. Furthermore, there are potentially legitimate uses for the setApprovalForAll function for certain dapps, such as on NFT marketplaces, which only further muddles the user decision.

Still, the MetaMask update could help minimize the impact of scams. Some NFT collectors who have fallen for such social media scams have been accused of recklessly approving transactions due to FOMO and speculative frenzy around NFTs, and this extra step might give users pause—and an opportunity to reconsider their actions.

We’ll see whether MetaMask takes this new feature further in future updates, as well as whether competing wallets will adopt similar techniques. Scams aren’t limited to MetaMask users, after all, and not to Ethereum either.Solanahas a similar function (signAllTransactions), and a notable NFT collector just fell victim to such a scam via hisPhantom wallet.

The pseudonymousco-founder of MonkeDAO, Nom, last nighttweetedabout how his wallet was drained in an attack when he interacted with a smart contract that he thought was safe to use. Nom wrote that he lost about 500 SOL (about $20,200) and NFTs including one fromSolana Monkey Business, which the attacker thensold for 197 SOL($7,736).

Arts

https://decrypt.co/106164/metamask-ethereum-wallet-update-help-thwart-nft-scams?amp=1

Interesting NFTs
Art Is The Currency of the Infinite
This still-life, titled after one of Pablo Picasso's infamous quotes, was made solely using 3D softwares and apps, in an attempt to bring this often forgotten artistic genre into the 21st century through the use of new artistic mediums and technologies. This piece is also an invitation to meditate on the role of "value" throught the ages and how it's been radically altered by the coming into existence of technologies and concepts like cryptocurrencies and digital scarcity.
CYBERSKULL #2
CYBERSKULL #2 is created by WINCHAWA ///
Who Is The Creator 2
The idea for this piece was borne out of a tweet of mine that caused a bit of a stir. I’d posted a link to a blog article I’d written a number of months previous titled ‘Who is the Creator’ discussing various types of creative collaborations and why I hire people to work on my animations. It generated a lot of debate around creation and attribution with the community split on whether it’s right or wrong for an artist to hire other professionals to help them realize their art projects. I decided to push the boundaries even further and see how the cryptoart community responded. What if I quite literally had nothing to do with the physical or digital elements of the work other than coming up with the concept and coordinating it? I decided there was one artist in the space who could add huge value to this idea on levels that none other could and so I gathered my courage and contacted the great JosĂ© Delbo to ask him if he’d be interested in a very unique collaboration. I explained to him that to make this piece ‘work’ he couldn't have any say in what I produced and moreover, he wouldn’t even be allowed to see the animation until it was dropped on MakersPlace. To my surprise, Mr Delbo agreed to my proposal. The animation tells the story of the creative process, which includes my roles as writer, director, and producer working with a team and making edits and changes ‘in real time’. The dialogue between myself and my ‘hired guns’ plays out in front of the viewer. The music written for the piece adds to the nostalgia of the comic book superhero theme but other elements such as the snapping and kicking of the pencil and the signing of my signature at the bottom incorporates further layers and challenges the viewer to ask important questions, such as, is the ‘Art’ the final animation (the creation) or is the ‘Art’ the concept/credit for the creation itself?
#53660
By OthersideDeployer
Ocean Front (Beeple)
Cinema 4D, Octane render, Photoshop Everyday #4344