Following a rash of social media NFT scams, MetaMask adds an extra step that could help users avoid “wallet drainer” attacks.
Social media scams are booming in the NFT space, with Twitter and Discord users duped into connecting their crypto wallets to malicious smart contracts—and having their NFTs and other tokens swiped as a result. Now the top Ethereum wallet, MetaMask, has updated its interface to try and help users recognize and avoid such scams.
MetaMask released a new 10.18.0 update to the wallet this week, which includes a change to the way that the software presents a requested setApprovalForAll permission. Granting that permission allows the smart contract—the code that powers NFTs and decentralized apps—the ability to access and transfer out all NFTs and tokens in a wallet.
Following the update, as security firm Wallet Guard noted on Twitter, MetaMask now makes it clearer that a smart contract is requesting broad permissions, including access to any funds held within the wallet—a function that can be used for so-called “wallet drainer” exploits.
Screenshots posted to MetaMask’s GitHub software development repository show a new prompt that uses a larger font than the rest of the interface. The example text reads, “Give permission to access all of your BAYC?” (or Bored Ape Yacht Club), with an additional warning reading, “By granting permission, you are allowing the following account to access your funds.”
MetaMask Software Engineer Alex Donesky wrote on GitHub on June 22 that “there is some urgency to get something out there since this method is so commonly used.” He also added that the “timeline is compressed,” and admitted that it wasn’t how he would approach the change if there was more time to develop it.
Indeed, the update comes following a rash of scams that are primarily spread via hacked social media accounts. In the spring, verified accounts of numerous Twitter users were hijacked and used to share scam links inspired by prominent NFT projects like Azuki and Otherside, and steal the NFTs and tokens of users who unwittingly connected their wallets to the smart contracts.
More recently, the Twitter accounts of various NFT projects and notable collectors were hacked to share similar types of links, billing them as a free NFT or token drop. Such scams have taken place via hacked Discord and Instagram accounts as well. It has led to a debate over whether creators and projects should compensate users who lose assets via such scams.
Earlier this month, NFT drop registration platform Premint was impacted by a hack to its website that used the setApprovalForAll function to steal an array of valuable NFTs and tokens from affected users. Ultimately, the firm reimbursed users to the tune of over $500,000 worth of ETH, and bought back and returned a pair of pricey NFT collectibles as well.
“The user interface for the most popular wallets need to be drastically improved to make it near impossible for someone to connect to a wallet drainer,” Premint founder Brenden Mulligan told Decrypt last week. “This is a solvable problem, but it’s batshit crazy that it’s so easy to drain a wallet and there aren’t more warnings in place to protect people.”
To be clear, MetaMask’s update does not make any judgment call about the contract that users are attempting to connect to, and does not specifically call out identified scams. Furthermore, there are potentially legitimate uses for the setApprovalForAll function for certain dapps, such as on NFT marketplaces, which only further muddles the user decision.
Still, the MetaMask update could help minimize the impact of scams. Some NFT collectors who have fallen for such social media scams have been accused of recklessly approving transactions due to FOMO and speculative frenzy around NFTs, and this extra step might give users pause—and an opportunity to reconsider their actions.
We’ll see whether MetaMask takes this new feature further in future updates, as well as whether competing wallets will adopt similar techniques. Scams aren’t limited to MetaMask users, after all, and not to Ethereum either. Solana has a similar function (signAllTransactions), and a notable NFT collector just fell victim to such a scam via his Phantom wallet.
The pseudonymous co-founder of MonkeDAO, Nom, last night tweeted about how his wallet was drained in an attack when he interacted with a smart contract that he thought was safe to use. Nom wrote that he lost about 500 SOL (about $20,200) and NFTs including one from Solana Monkey Business, which the attacker then sold for 197 SOL ($7,736).