How Your MetaMask May Be Compromised – Even Without Approving Smart Contracts

Yusoff Kim
August 19, 2022
10 mins read

To improve user experience on Ethereum, the “permit” function was introduced. This allows users to modify allowance without ever submitted a transaction.

However, this may just be a new attack vector for Web3.0 hackers.

More Vulnerabilities?

The cryptocurrencies we hold on Ethereum and many other blockchains are known as “ERC-20” tokens.

These tokens, which include USDC, have many functions, including “transfer” and “transferFrom”

> transfer

When you move USDC (or other ERC20s) between wallets, you use transfer function.

It moves tokens from the caller (the address that calls the function) to other address.

To maliciously use transfer on your behalf, someone would have to get control over your wallet. pic.twitter.com/3Z3pYbBnRq
— korpi (@korpi87) August 19, 2022

However, these can be manipulated by a third party to create an infinite allowance to transfer tokens.

This means a smart contract can essentially drain your wallet of a specific ERC-20 token.

Furthermore, this does not require approval of a smart contract, but simply signing a message – and often consume little to no gas fees. These innocent-looking signatures are also signed when interacting with almost any new platform.

This allows a malicious smart contract to transfer as many tokens from your wallet out, essentially draining your funds.

Avoiding Similar Exploits

While it may not be a great sign for Web3.0 that such simple attacks can siphon huge amounts of funds, it can be avoided relatively easily.

Firstly, use a cold wallet. These come in a variety, such as ledger, trezor, and more, and creates another layer of security for your Metamask accounts.

Secondly, read and understand what you are signing. Whether it be approval for a site to use your funds, access your NFTs or more, double check it before signing.

Concerned about your own approvals?

Until we incorporate token revocation directly in MM🦊, you can see, adjust, and revoke your allowances on…

👍 @RevokeCash’s https://t.co/NqqmBdjekO
👍 @etherscan’s https://t.co/4W3dxZKL63
😍

11/ pic.twitter.com/piOfjdx86B
— MetaMask 🦊💙 (@MetaMask) March 4, 2022

If you are unsure of singatures you have approved in the past, quickly revoke them through Metamask or other third party sites such as revoke.cash.

lastly, use an eye test on the site your are interacting with. Is it a known platform? Do they have previous users and a large following?

If not, it may be good to stay away from interacting with contracts on their site till you can verify their authenticity. One good way to do this is to use sites like scamadvisor to see whether a website is legitimate.

Also Read: How Do Bridges And Networks Get Hacked? Understanding 51% Attacks

[Editor’s Note: This article does not represent financial advice. Please do your own research before investing.]

Featured Image Credit: Forkast