MetaMask Update Geared Toward Alerting Users To Avoid Scams

Has the preponderance of recent social media NFT scams got you down? Or, perhaps more accurately, robbed your wallet of hard-earned digital assets? An update to Ethereum’s MetaMask might be the answer to wallet security after a spike in “wallet drainer” activity.

Social media scammers prey upon the heedless who sign away their permission without knowing what they’re permitting access to. Wallet drainer attacks are thriving in the NFT (non-fungible token) space right now, tallying up millions of dollars in lost NFT and token assets. Twitter and Discord are where the bulk of attacks happen. 

MetaMask, the top Ethereum wallet, updated its interface to alert users to these dangers. The update comes in the form of an extra step to make users more aware of what they’re signing before connecting their wallet to a potentially harmful smart contract.

The Fight Back Against Hackers

Released as the 10.80.10 update this week, users will now benefit from a change to the way the software presents a requested setApprovalForAll permission. Once this permission is granted, the smart contract can access and transfer all NFTs and tokens in the wallet. A smart contract is a code that drives NFTs and decentralized applications.

MetaMask presented a preview of the update showing a new prompt that uses a larger font than the rest of the interface. This example had text reading, “Give permission to access all of your BAYC?”, with a subsequent warning stating, “By granting permission, you are allowing the following account to access your funds.” MetaMask posted the preview in a series of screenshots to its GitHub software development repository.

The Need For Action

The example using Yuga Labs’ BAYC, or Bored Ape Yacht Club, is somewhat topical as the popular collection saw 200 ETH worth of NFTs lost to this type of attack earlier in the summer. The attack occurred on Discord, the place where a near identical strike happened to Yuga Labs in April of this year.

At the beginning of July, the NFT drop platform Premint was hacked using the setApprovalForAll function. The hack stole a bevy of pricey NFTs and tokens from users. Premint reimbursed $500,000 worth of ETH to those affected. It also bought back and returned two expensive NFT collectibles as well.

The hack and loss of valuable assets prompted Premint founder Brenden Mulligan to issue a call for something to be done. “The user interface for the most popular wallets needs to be drastically improved to make it near impossible for someone to connect to a wallet drainer,” he said. “This is a solvable problem, but it’s batshit crazy that it’s so easy to drain a wallet and there aren’t more warnings in place to protect people.”   

According to the security firm Wallet Guard, MetaMask’s update makes plain that a smart contract is requesting broad, far-reaching permissions, including access to assets in the wallet. “This update includes the much-needed emphasis for when a transaction is requesting ‘Set Approval For All,’” Wallet Guard said in a Twitter post. “Kudos to the team for addressing this quickly,” the post added.

Although the update is an improvement, it doesn’t decipher whether the contract users are trying to connect to is a scam or not. There are also legitimate uses for the setApprovalForAll function, such as for certain dapps, which further convolute the issue. 


  • Paul Cooper

    Paul Cooper is a writer, thinker, teacher, and father. He lives and works in the United States and loves annoying his daughter.

The information provided on this blog is for informational purposes only and does not constitute financial, legal, or investment advice. The views and opinions expressed in the articles are those of the authors and do not necessarily reflect the official policy or position of NFT News Today.