MetaMask Now Adds An Extra Step That Could Help Users Avoid Attacks
MetaMask Now Adds An Extra Step That Could Help Users Avoid Attacks
MetaMask released a new 10.18.0 update to the wallet this week, which includes a change to the way that the software presents a requested setApprovalForAll permission. Granting that permission allows the smart contract—the code that powers NFTs and decentralized apps—the ability to access and transfer out all NFTs and tokens in a wallet.
Following the update, as security firm Wallet Guard noted on Twitter, MetaMask now makes it clearer that a smart contract is requesting broad permissions, including access to any funds held within the wallet—a function that can be used for so-called “wallet drainer” exploits.
Screenshots posted to MetaMask’s GitHub software development repository show a new prompt that uses a larger font than the rest of the interface. The example text reads, “Give permission to access all of your BAYC?”, with an additional warning reading, “By granting permission, you are allowing the following account to access your funds.”
MetaMask Software Engineer Alex Donesky wrote on GitHub on June 22 that “there is some urgency to get something out there since this method is so commonly used.” He also added that the “timeline is compressed,” and admitted that it wasn’t how he would approach the change if there was more time to develop it.
Indeed, the update comes following a rash of scams that are primarily spread via hacked social media accounts. In the spring, verified accounts of numerous Twitter users were hijacked and used to share scam links inspired by prominent NFT projects like Azuki and Otherside, and steal the NFTs and tokens of users who unwittingly connected their wallets to the smart contracts.
More recently, the Twitter accounts of various NFT projects and notable collectors were hacked to share similar types of links, billing them as a free NFT or token drop. Such scams have taken place via hacked Discord and Instagram accounts as well. It has led to a debate over whether creators and projects should compensate users who lose assets via such scams.
To be clear, MetaMask’s update does not make any judgment call about the contract that users are attempting to connect to, and does not specifically call out identified scams. Furthermore, there are potentially legitimate uses for the setApprovalForAll function for certain dapps, such as on NFT marketplaces, which only further muddles the user decision.
We’ll see whether MetaMask takes this new feature further in future updates, as well as whether competing wallets will adopt similar techniques.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join CoinCu Telegram to keep track of news: https://t.me/coincunews
Follow CoinCu Youtube Channel | Follow CoinCu Facebook page
Hazel
CoinCu News
Author
News
MetaMask Now Adds An Extra Step That Could Help Users Avoid Attacks
MetaMask Now Adds An Extra Step That Could Help Users Avoid Attacks
MetaMask released a new 10.18.0 update to the wallet this week, which includes a change to the way that the software presents a requested setApprovalForAll permission. Granting that permission allows the smart contract—the code that powers NFTs and decentralized apps—the ability to access and transfer out all NFTs and tokens in a wallet.
Following the update, as security firm Wallet Guard noted on Twitter, MetaMask now makes it clearer that a smart contract is requesting broad permissions, including access to any funds held within the wallet—a function that can be used for so-called “wallet drainer” exploits.
Screenshots posted to MetaMask’s GitHub software development repository show a new prompt that uses a larger font than the rest of the interface. The example text reads, “Give permission to access all of your BAYC?”, with an additional warning reading, “By granting permission, you are allowing the following account to access your funds.”
MetaMask Software Engineer Alex Donesky wrote on GitHub on June 22 that “there is some urgency to get something out there since this method is so commonly used.” He also added that the “timeline is compressed,” and admitted that it wasn’t how he would approach the change if there was more time to develop it.
Indeed, the update comes following a rash of scams that are primarily spread via hacked social media accounts. In the spring, verified accounts of numerous Twitter users were hijacked and used to share scam links inspired by prominent NFT projects like Azuki and Otherside, and steal the NFTs and tokens of users who unwittingly connected their wallets to the smart contracts.
More recently, the Twitter accounts of various NFT projects and notable collectors were hacked to share similar types of links, billing them as a free NFT or token drop. Such scams have taken place via hacked Discord and Instagram accounts as well. It has led to a debate over whether creators and projects should compensate users who lose assets via such scams.
To be clear, MetaMask’s update does not make any judgment call about the contract that users are attempting to connect to, and does not specifically call out identified scams. Furthermore, there are potentially legitimate uses for the setApprovalForAll function for certain dapps, such as on NFT marketplaces, which only further muddles the user decision.
We’ll see whether MetaMask takes this new feature further in future updates, as well as whether competing wallets will adopt similar techniques.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join CoinCu Telegram to keep track of news: https://t.me/coincunews
Follow CoinCu Youtube Channel | Follow CoinCu Facebook page
Hazel
CoinCu News
Other Posts
Related Posts
