MetaMask released a new 10.18.0 update to the wallet this week, which includes a change to the way that the software presents a requested setApprovalForAll permission. Granting that permission allows the smart contract—the code that powers NFTs and decentralized apps—the ability to access and transfer out all NFTs and tokens in a wallet.
Following the update, as security firm Wallet Guard noted on Twitter, MetaMask now makes it clearer that a smart contract is requesting broad permissions, including access to any funds held within the wallet—a function that can be used for so-called “wallet drainer” exploits.
Screenshots posted to MetaMask’s GitHub software development repository show a new prompt that uses a larger font than the rest of the interface. The example text reads, “Give permission to access all of your BAYC?”, with an additional warning reading, “By granting permission, you are allowing the following account to access your funds.”
MetaMask Software Engineer Alex Donesky wrote on GitHub on June 22 that “there is some urgency to get something out there since this method is so commonly used.” He also added that the “timeline is compressed,” and admitted that it wasn’t how he would approach the change if there was more time to develop it.
Indeed, the update comes following a rash of scams that are primarily spread via hacked social media accounts. In the spring, verified accounts of numerous Twitter users were hijacked and used to share scam links inspired by prominent NFT projects like Azuki and Otherside, and steal the NFTs and tokens of users who unwittingly connected their wallets to the smart contracts.
More recently, the Twitter accounts of various NFT projects and notable collectors were hacked to share similar types of links, billing them as a free NFT or token drop. Such scams have taken place via hacked Discord and Instagram accounts as well. It has led to a debate over whether creators and projects should compensate users who lose assets via such scams.
To be clear, MetaMask’s update does not make any judgment call about the contract that users are attempting to connect to, and does not specifically call out identified scams. Furthermore, there are potentially legitimate uses for the setApprovalForAll function for certain dapps, such as on NFT marketplaces, which only further muddles the user decision.
We’ll see whether MetaMask takes this new feature further in future updates, as well as whether competing wallets will adopt similar techniques.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join CoinCu Telegram to keep track of news: https://t.me/coincunews
Follow CoinCu Youtube Channel | Follow CoinCu Facebook page
Hazel
CoinCu News
Discover why Qubetics, Polkadot, and Cosmos are the best cryptos with 1000X potential, offering innovation,…
Explore the best coins to buy in December 2024—Qubetics with its thrilling presale, Polkadot’s interoperability,…
The Crypto Market Outlook 2025 highlights key areas: stablecoin growth, tokenization, crypto ETFs, DeFi innovation,…
The Bitcoin quantum computing threat is years away, but reserves already support post-quantum signatures via…
Don't miss BTFD Coin's Stage-7 presale dip! Find out why it's leading the pack of…
A WSJ survey reveals crypto hedge funds banking issues over three years, with 120 out…
This website uses cookies.