search

MetaMask / metamask-extension

:globe_with_meridians: :electric_plug: The MetaMask browser extension enables browsing Ethereum blockchain enabled websites
https://metamask.io
Other
12.01k stars 4.91k forks source link

On SignTypedData_v4, add a friction modal if one of the address in the message is a token or NFT on any list #17566

Closed bschorchit closed 1 year ago

bschorchit commented 1 year ago

Background

Scammers are targeting multiple SignTypedData_v4 signatures to trick users into signing away their asset. We should aim for a broad solution that could help us raise users awareness to that in any signature.

Proposal

Right now when displaying addresses in SignTypedData_v4, we check if it's an asset in one of the token lists to display the token icon and name in case it's. Whenever we identify a token that is present in one of those lists, we should also add a friction modal to the user (like we did for eth_sign and setApprovalForAll) to warn them that they might be mistakenly signing away those assets and asking them to double check the content of the message to check if it's their right intention.

Screenshot

Screenshot 2023-02-03 at 13 46 05

References

Relevant thread

bschorchit commented 1 year ago

Closing as this is no longer relevant