MetaMask is ready to warn users to avoid update scams
Has the recent prominence of social media NFT scams disappointed you? Or, perhaps more accurately, has your wallet been robbed of your hard-earned digital assets? An update to Ethereum’s MetaMask could be the answer to wallet security after an increase in “wallet drainer” activity.
Social media scammers prey on the gullible who sign their permission without knowing what access they are allowing. Wallet drainer attacks are currently thriving in the NFT (Non-Fungible Token) space, leading to millions of dollars in lost NFT and token assets. Twitter and Discord are where most of the attacks happen.
MetaMask, the top Ethereum wallet, has updated its interface to warn users about this danger. The update comes in the form of an additional step to make users more aware of what they are signing before attaching their wallets to a potentially harmful smart contract.
Fight against hackers
Released this week as the 10.80.10 update, users will now benefit from changes to the way the software presents a requested SetApprovalForAll permission. Once this permission is granted, the smart contract can access and transfer all NFTs and tokens in the wallet. A smart contract is the code that powers NFTs and decentralized applications
Metamask previewed the update showing a new prompt that uses a larger font than the rest of the interface. In this example the text read, “Allow access to all your BAYC?”, with a subsequent warning saying, “By granting permission, you are allowing the following account to access your funds.” Metamask posted the preview in a series of screenshots on its GitHub software development repository.
.@metamask 10.18.0 is out
This update adds much-needed emphasis when a transaction requests “set authorization for all”.
Thanks to the team for fixing this quickly pic.twitter.com/zWHVVPszzR
— Wallet Guard (@wallet_guard) July 27, 2022
required for action
The example using Yuga Labs’ BAYC, or Bored Ape Yacht Club, is somewhat relevant since the popular collection lost 200 ETH worth of NFTs to this type of attack earlier this summer. The attack happened at Discord, where an almost identical strike took place at Yuga Labs in April of this year.
In early July, NFT drop platform Premint was hacked using the setApprovalForAll function. The hack stole valuable NFTs and tokens from users. Premint returned $500,000 worth of ETH to victims. It also bought back and returned two expensive NFT collectibles.
The hack and loss of valuable assets prompted PreMint founder Brendan Mulligan to issue a call for action. “The user interface of the most popular wallets needs to be drastically improved to make it impossible for anyone to connect to the wallet drainer,” he said. “It’s a solvable problem, but it’s crazy that it’s so easy to drain a wallet and there aren’t more precautions to protect people.”
According to security firm WalletGuard, Metamask’s update makes it clear that a smart contract is requesting broad, far-reaching permissions, including access to the wallet’s assets. “This update includes a much-needed emphasis on ‘set authorization for all’ for a transaction,” Wallet Guard said in a Twitter post. “Thanks to the team for fixing this so quickly,” the post added.
Although the update is an improvement, it is unclear whether the contract users are trying to connect to is a scam. There are also valid uses for the setApprovalForAll function, such as for specific DAPs, which further complicates the issue.
Support us through our sponsors
https://ift.tt/XH1fKe7
Post a Comment
Post a Comment