29/07/2022 This MetaMask Ethereum Wallet Update May Help Thwart NFT Scams

Following a rash of social media NFT scams, MetaMask adds an extra step that could help users avoid “wallet drainer” attacks.

metamask-nfts-bored-apes-gID_4.jpeg

Social media scams arebooming in the NFT space, with Twitter andDiscord users dupedinto connecting their cryptowalletsto malicioussmart contracts—and having theirNFTsand other tokens swiped as a result. Now the topEthereumwallet,MetaMask, has updated its interface to try and help users recognize and avoid such scams.

MetaMask released a new 10.18.0 update to the wallet this week, which includes a change to the way that the software presents a requested setApprovalForAll permission. Granting that permission allows thesmart contract—the code that powers NFTs anddecentralized apps—the ability to access and transfer out all NFTs andtokensin a wallet.

Following the update, as security firm Wallet Guardnoted on Twitter, MetaMask now makes it clearer that a smart contract is requesting broad permissions, including access to any funds held within the wallet—a function that can be used for so-called “wallet drainer” exploits.

Screenshots posted to MetaMask’sGitHub software development repositoryshow a new prompt that uses a larger font than the rest of the interface. The example text reads, “Give permission to access all of your BAYC?” (orBored Ape Yacht Club), with an additional warning reading, “By granting permission, you are allowing the following account to access your funds.”

MetaMask Software Engineer Alex Donesky wrote on GitHub on June 22 that “there is some urgency to get something out there since this method is so commonly used.” He also added that the “timeline is compressed,” and admitted that it wasn’t how he would approach the change if there was more time to develop it.

Indeed, the update comes following a rash of scams that are primarily spread via hacked social media accounts. In the spring, verified accounts of numerousTwitter users were hijackedand used to share scam links inspired by prominent NFT projects like Azuki andOtherside, and steal the NFTs and tokens of users who unwittingly connected their wallets to the smart contracts.

More recently, the Twitter accounts of various NFT projects and notable collectors were hacked to share similar types of links, billing them as a free NFT or token drop. Such scams have taken place via hacked Discord and Instagram accounts as well. It has led to a debate over whether creators and projectsshould compensate userswho lose assets via such scams.

Earlier this month, NFT drop registration platform Premint was impacted by a hack to its website that used the setApprovalForAll function tosteal an array of valuable NFTs and tokensfrom affected users. Ultimately, the firm reimbursed users to the tune ofover $500,000 worth of ETH, and bought back and returned a pair of pricey NFT collectibles as well.

“The user interface for the most popular wallets need to be drastically improved to make it near impossible for someone to connect to a wallet drainer,” Premint founder Brenden MulligantoldDecryptlast week. “This is a solvable problem, but it’s batshit crazy that it’s so easy to drain a wallet and there aren’t more warnings in place to protect people.”

To be clear, MetaMask’s update does not make any judgment call about the contract that users are attempting to connect to, and does not specifically call out identified scams. Furthermore, there are potentially legitimate uses for the setApprovalForAll function for certain dapps, such as on NFT marketplaces, which only further muddles the user decision.

Still, the MetaMask update could help minimize the impact of scams. Some NFT collectors who have fallen for such social media scams have been accused of recklessly approving transactions due to FOMO and speculative frenzy around NFTs, and this extra step might give users pause—and an opportunity to reconsider their actions.

We’ll see whether MetaMask takes this new feature further in future updates, as well as whether competing wallets will adopt similar techniques. Scams aren’t limited to MetaMask users, after all, and not to Ethereum either.Solanahas a similar function (signAllTransactions), and a notable NFT collector just fell victim to such a scam via hisPhantom wallet.

The pseudonymousco-founder of MonkeDAO, Nom, last nighttweetedabout how his wallet was drained in an attack when he interacted with a smart contract that he thought was safe to use. Nom wrote that he lost about 500 SOL (about $20,200) and NFTs including one fromSolana Monkey Business, which the attacker thensold for 197 SOL($7,736).

Arts

https://decrypt.co/106164/metamask-ethereum-wallet-update-help-thwart-nft-scams?amp=1

Interesting NFTs
OriginalplanÂź - Series 1 - Raw Cut Diamond Be@rbrick
The Be@rbrick series is a project around creating unique Be@rbrick designs. Originally it started as a daily project so each design was created on a daily basis. The concept and idea is based on the subcultural phenomenon of collectibles and designer toys. Raw Cut Be@rbrick is made of several hundreds of diamonds and is only availabe as a 1/1 limited edition collectible. Format : 3D Render. File: JPG * size: 5120 × 2880px After purchase a hand signed Glichē print will be sent to the address of your choosing. Limited to: 1/1 digital pieces.
#65679
By OthersideDeployer
G17 crazy beard strawberry
Hey cutie! I'm G17 crazy beard strawberry. In high school, I was voted most likely to work at NASA. Sometimes I daydream of a life full of tricking babies, hamburgers, and riverdancing. I hope you like kitten around as much as I do!
The Scion
A young figure caught in a moment of distraction, aware only ephemerally of his unconscious being, as it engages in psychological and psychedelic layer spaces. His right arm casually cradles a moray eel; the figure is comfortable but not truly aware of the potentials for danger in such negligence. His shirt reads “Bello” in Pokemon style font, harkening back to a childhood straddling the millennial threshold. To his right side, out of the unconscious deep, shrouded alien heads propagate as a fractal totem, each new iteration a more sophisticated rendering of emotional masking over the cold mystery of the greys. As the scion of the Budgie-Sattva, the young man, in his distraction, is also simultaneously aware of higher levels of self discovery. To his left a psychological topology sets beneath the oracle side of an 8 ball ,hovering; its message a purest concept of acceptance. The “Scion” lettering is in 80’s HeMan style bold declaration. The lower right side of the painting is like a hybrid of melon, feathers, and seeds. The crystals in the background bring light; conducted, refracted, reflected, and dispersed, to balance the dark shadow of the figure’s physical body. The aura of the scion succeeds in layers to point, with a finger, and the crown chakra, toward a center of a mandala existing as nigh pure application of strokes, in essence painterly abstraction, but also revealing hints of the Aura of migraine, and the bi-hemispherical nature of the brain–noting concerns of the possibility of inherited mental disease. Yet the flourish of chakra as it sets against that center is robust, active, coherent, and reveling against all fear. Fundamentally, the piece speaks to the activation of one’s potential to begin to “Know Thyself”, and find greater awareness out of the enigmas of the mind–as an inculcated seed given to the rich soil of one’s own birthright.
Who Is The Creator 2
The idea for this piece was borne out of a tweet of mine that caused a bit of a stir. I’d posted a link to a blog article I’d written a number of months previous titled ‘Who is the Creator’ discussing various types of creative collaborations and why I hire people to work on my animations. It generated a lot of debate around creation and attribution with the community split on whether it’s right or wrong for an artist to hire other professionals to help them realize their art projects. I decided to push the boundaries even further and see how the cryptoart community responded. What if I quite literally had nothing to do with the physical or digital elements of the work other than coming up with the concept and coordinating it? I decided there was one artist in the space who could add huge value to this idea on levels that none other could and so I gathered my courage and contacted the great JosĂ© Delbo to ask him if he’d be interested in a very unique collaboration. I explained to him that to make this piece ‘work’ he couldn't have any say in what I produced and moreover, he wouldn’t even be allowed to see the animation until it was dropped on MakersPlace. To my surprise, Mr Delbo agreed to my proposal. The animation tells the story of the creative process, which includes my roles as writer, director, and producer working with a team and making edits and changes ‘in real time’. The dialogue between myself and my ‘hired guns’ plays out in front of the viewer. The music written for the piece adds to the nostalgia of the comic book superhero theme but other elements such as the snapping and kicking of the pencil and the signing of my signature at the bottom incorporates further layers and challenges the viewer to ask important questions, such as, is the ‘Art’ the final animation (the creation) or is the ‘Art’ the concept/credit for the creation itself?