Following a rash of social media NFT scams, MetaMask adds an extra step that could help users avoid “wallet drainer” attacks.

Social media scams arebooming in the NFT space, with Twitter andDiscord users dupedinto connecting their cryptowalletsto malicioussmart contracts—and having theirNFTsand other tokens swiped as a result. Now the topEthereumwallet,MetaMask, has updated its interface to try and help users recognize and avoid such scams.

MetaMask released a new 10.18.0 update to the wallet this week, which includes a change to the way that the software presents a requested setApprovalForAll permission. Granting that permission allows thesmart contract—the code that powers NFTs anddecentralized apps—the ability to access and transfer out all NFTs andtokensin a wallet.

Following the update, as security firm Wallet Guardnoted on Twitter, MetaMask now makes it clearer that a smart contract is requesting broad permissions, including access to any funds held within the wallet—a function that can be used for so-called “wallet drainer” exploits.

Screenshots posted to MetaMask’sGitHub software development repositoryshow a new prompt that uses a larger font than the rest of the interface. The example text reads, “Give permission to access all of your BAYC?” (orBored Ape Yacht Club), with an additional warning reading, “By granting permission, you are allowing the following account to access your funds.”

MetaMask Software Engineer Alex Donesky wrote on GitHub on June 22 that “there is some urgency to get something out there since this method is so commonly used.” He also added that the “timeline is compressed,” and admitted that it wasn’t how he would approach the change if there was more time to develop it.

Indeed, the update comes following a rash of scams that are primarily spread via hacked social media accounts. In the spring, verified accounts of numerousTwitter users were hijackedand used to share scam links inspired by prominent NFT projects like Azuki andOtherside, and steal the NFTs and tokens of users who unwittingly connected their wallets to the smart contracts.

More recently, the Twitter accounts of various NFT projects and notable collectors were hacked to share similar types of links, billing them as a free NFT or token drop. Such scams have taken place via hacked Discord and Instagram accounts as well. It has led to a debate over whether creators and projectsshould compensate userswho lose assets via such scams.

Earlier this month, NFT drop registration platform Premint was impacted by a hack to its website that used the setApprovalForAll function tosteal an array of valuable NFTs and tokensfrom affected users. Ultimately, the firm reimbursed users to the tune ofover $500,000 worth of ETH, and bought back and returned a pair of pricey NFT collectibles as well.

“The user interface for the most popular wallets need to be drastically improved to make it near impossible for someone to connect to a wallet drainer,” Premint founder Brenden MulligantoldDecryptlast week. “This is a solvable problem, but it’s batshit crazy that it’s so easy to drain a wallet and there aren’t more warnings in place to protect people.”

To be clear, MetaMask’s update does not make any judgment call about the contract that users are attempting to connect to, and does not specifically call out identified scams. Furthermore, there are potentially legitimate uses for the setApprovalForAll function for certain dapps, such as on NFT marketplaces, which only further muddles the user decision.

Still, the MetaMask update could help minimize the impact of scams. Some NFT collectors who have fallen for such social media scams have been accused of recklessly approving transactions due to FOMO and speculative frenzy around NFTs, and this extra step might give users pause—and an opportunity to reconsider their actions.

We’ll see whether MetaMask takes this new feature further in future updates, as well as whether competing wallets will adopt similar techniques. Scams aren’t limited to MetaMask users, after all, and not to Ethereum either.Solanahas a similar function (signAllTransactions), and a notable NFT collector just fell victim to such a scam via hisPhantom wallet.

The pseudonymousco-founder of MonkeDAO, Nom, last nighttweetedabout how his wallet was drained in an attack when he interacted with a smart contract that he thought was safe to use. Nom wrote that he lost about 500 SOL (about $20,200) and NFTs including one fromSolana Monkey Business, which the attacker thensold for 197 SOL($7,736).