Bitcoin Forum

Often we need to connect wallet third-party sites for various reasons. We should always ignore connecting our wallet to an unknown and unsafe site. That's how your wallet would be drained. One of my known person's wallets has been hacked a few days back. Then he contacts Metamask about how it has happened. They said the metamask was connected to a couple of sites for a long time and users didn't disconnect wallets. Hackers took this advantage and take control of full wallets. So funds have been drained from all the addresses. Metamask doesn't disclose which Dapps and how happened.

I learned from him that we shouldn't keep connected any Dapps for a long time. It would drain wallet funds after a certain period. Always disconnect your wallet even if you connect for any reason. Don't just leave it as it is. Hackers have powerful tools to trace you and drain your wallet. Don't give that chance.

I've recently read news about how third party sites and Dapps pose a security threat to wallet owners.

Ideally we should never give 3rd party platforms access to our financial or personal details (KYC). But if you must, it should be for a short period of time, and only limited to certain platforms.

Just keeping your wallet connected to a dapp/website won't do this, you'd also have to click to sign or authorise a transaction too.

I think this is the bit that could become the more problematic part as it's possible to sign transactions that look weird when doing things like buying an nft (a lot of gaming marketplaces ask you to sign a transaction that confirms spending up to a certain amount rather than an exact amount and I think this is the bit that might be able to catch people out if they're using a scammy platform - especially if it's not broadcast straight away or the smart contract can come with a delay for funds being taken).

I thought the same as you. Also, victims thought the same things. But connect a long time is harmful. According to metamask seed would be compromised this way where you don't need to approve from your wallet. The victim is pretty sure the device hasn't been hacked. If a transaction happens from the device then there should be a history on the wallet. But nothing, only history funds on the chain.

There is a distinction between disconnecting a wallet and removing the token approval. Disconnecting it from some platform hardly does thing for security, but the latter is suggested. The essence is connecting the wallet into a platform won't make it viable to hack, but if you were interacting with a shady/unknown smart contract, it likely increases the risk, even if the issue didn't raise in the meantime.

Metamask blog covers those things nicely: Disconnect wallet from a dapp  (https://metamask.zendesk.com/hc/en-us/articles/360059535551-Disconnect-wallet-from-a-dapp) and What is a token approval? (https://metamask.zendesk.com/hc/en-us/articles/6174898326683)

When we leave our hot wallets constantly connected to apps, it poses a greater risk than keeping our savings on centralized platforms. Unfortunately, beginners do not realize how much risk they are taking just because they have not been exposed to any accident. Most of them do not follow the news of the cases of sepsis that occur almost daily.
The most that I can recommend is to keep your money in a cold wallet and use the hot wallet to perform short operations only and then transfer it back to your cold wallet if you do not want to disconnect the wallet from the applications you use .

I agree with jackg. Connecting metamask to a dApp shouldn't pose any risk. Metamask isn't supposed to share your wallet seed or private keys with the website it's connected to and you need to manually sign the transaction by clicking the sign button so it gets broadcast.

If the dApp can access your seed (although I doubt it) then this is a critical vulnerability and metamask team should've patched it since they are aware of its existence!

If this was the case there'd be more scams of this nature. I now think the person has put their seed in on a different website or installed a fake version of metamask - this shouldn't happen without them signing a transaction. It's possible malicious code was put in by the website and signed by the user without them knowing too but I doubt metamask gives away the seed as that'd have been discovered a long time ago.

Also a transaction history not being available on metamask but on the blockchain is more evidence that the wallet is malware because what reason would metamask have to not show you that transaction?

Disconnect to dApp when you done your work and revoke smart contract access when you finish a transaction you want.

I use this site when I need to revoke Smart contract allowance https://app.unrekt.net/

Sometimes, hackers also change filters in your email and you will not aware notification emails about suspicious activities with your email and related accounts.

I also believed on this. Unless the dapp have a trick front end statement "connect your wallet to our app" ( but actually that transaction is accepting the transaction confirmation already. Well the users must have gone two to three connection to the dapp without him noticed and thats the reason maybe of the hacked.

Probably a highly tricked system. Some tech have capacity to hide some meta transaction data, in a transaction. So highly possible that the hacker is an expert and must have done a thorough process in order to execute the crime.

Afaik, connecting wallet doesn't give anyone access to your wallet, any transaction would have to go through you only, unless dapp was given 'approve all' permission.

Often we don't read what is the permission actually and we approved it. Keep in mind hackers are too advanced than us and know all the loopholes. So there must something that they can reveal your seed and how they move funds from all the addresses. The most likely seed would be compromised after a certain period when wallet keeps connect for a long time.

I think once it comes to matters related to hacking then we can't predict the extent to which these people canngo just to succeed in their attempts, remember one has to make some downloads and there's jo guarantee that through that they can't infiltrate into ones system, just by ordinary click on a picture can mean alot in giving an access unknowingly to a malicious Attack, some messages can pop up on dapp and any click on such can mean aloy as well, hackers can't be predicted

That seems unlikely just because you connected wallet. Will change my opinion whenever a drain occurs just because of it.

Not just that I disconnect my wallets after connecting to Dapps, but I also revoking permissions as well. This would ensure everything that my wallet is safe. No matter if I am using desktop or mobile, it is important in doing these steps so that my wallet will not be compromised.

But still, it will remain vulnerable once we don’t have any antivirus installed in our respective devices once we are not careful in clicking or downloading anything like what happened to me months ago about getting my wallets drained worth $12k+ in total.

Thank you for providing this information. OP, I have a wallet that has been connected to my trust wallet Dapp for more than five months now, and I never considered disconnecting the wallet, but after reading this post, I will do so immediately, and I will reconnect the wallet whenever I need it.
What about the wallet created on Metamask, which is directly linked to their Dapps?
Is there a need for disconnect as well?

That's very bad of you, imagine a bad actor been part of the team of that platform you left your account connected to, they would have stole your funds mate, as a trust wallet user always disconnect your wallet after few transactions has been done.

I'm sorry to hear that, but it really was user error. Your friend may not know how to keep his funds safe or maybe he trusts the platform too much for his funds. We have heard a lot of suggestions that any platform is not a safe place to store funds, connect wallet at one platform without disconnecting after completing trade is a fatal mistake.

I don't blame hackers in this because someone forgot about the responsibility for his funds especially about the security of his funds and wallet. Of course this will be a good lesson not to repeat the same mistakes in the future. But by the way, have you warned him?

Crime can be committed when the opportunity arises, so we should be responsibility to close all loopholes from scammers.

Some of my friends also experienced this kind of thing which would certainly harm them and the tokens in their wallets were drained out. some valuable tokens become the main target.
this happens because of connecting the wallet with lots of Dapps and then leaving it alone. Airdrops also use Dapps and the main suspect who stole my friend's assets was from several airdrops that were followed on condition that they connect with their Dapps and make several claims of aiddrop tokens, it's just a trap so that the wallet is connected and has full access.

To overcome this, it is better to check your wallet with the website https://app.unrekt.net/ ,
and there you will see all the wallet connections that have been made and can revoke.

Support for Network ETH-BSC-AVAX-FTM-MATIC-HECO-CRONOS-MOONBEAM-ASTAR-DOGECHAIN

As pointed out that the dApp or website will need the wallet owner to authorize a transaction before can it be executed? I think people are missing the point here that there's a vulnerability found in some certain old version MetaMask through which they can steal a wallet passphrase and the person that still make use of the Metamask version will believe its because he contacted his wallet to a dApp or website.
 I once created a thread (https://bitcointalk.org/index.php?topic=5402869.msg60376326#msg60376326) about this but people didn't take it seriously.

I'm not confident connecting it for too long and that's why I usually disconnect time after time of using a dapp or any third party website that requires of connecting Metamask.

It's like making me think that I am sometimes paranoid and think of those scams and hacks before but it's better to be safe.

I don't know technically the hackers are doing the drain but yeah, much better to be safe rather than suffer and feel bad once it happened to your wallet.

so your seed will be exposed to the hackers or to the 3rd party app where a victim is connected for a long time. seem a huge vulnerability but not patched. amazing how they can authorize a transaction remotely. i think metamask can disconnect if the wallet is inactive for several hours to make sure of its security.

This is something that a lot of people overlook when starting to accept connections to any Dapps. Once you've given the "approve all" permission, a normal disconnect won't do anything either, those Dapps can still continue to use your wallet as a true owner. There is only one solution in this situation, and that is to revoke all the permissions you previously granted them.
As @OcTradism mentioned above, there is only one way to keep our wallets from being hacked and that is to use a recovery tool: unrekt.

People would just simply ignore or dont mind about it if they do still see their assets are still intact into their wallet which they would really be having that kind of confidence
but on the time that they do get hacked or faced up the same situations then this is where they become serious when it comes to security which they should have at least
done it earlier, which they might able to save up their asses back there.Never ever forget on revoking those permissions that you had allowed it earlier.
When it comes to security then its better to be a bit paranoid when it comes to that.

Yeah, this is possible, maybe the hackers got the session because it hasn't been closed for days. And once they hold of it, then can do whatever they want, like in this case, draining the wallet with all the hard earn money of the victims.

And not just Metamask, everything related to crypto, like exchanges, when you login, you should log out as well because you just don't know, hackers are all over and you might be the next victim.

this is the good thing for some exchanges where you will be automatically logged out if you are inactive for certain period of time, and when you log in, they will always ask for login details and if possible the 2FA. so that's a security check for your account. it goes to show also that even decentralised apps are not free from possible hacking because of other shortcomings. not because of the site but other security aspects.

In my opinion, only connect with Dapps as necessary. Always check site your connect Metamask. Make sure to check first, the site address, and the smart contract token first.

Another way, you can try it by using an empty wallet first. Install MetaMask and create another profile in your current browser of choice.

Don't use if site visited a malicious phishing. To avoid getting hacked, never open or connect your wallet to an unknown site. Always disconnect the wallet once you are connected to any Dapp for a long time.

there is app to revoke connected sites app.unrekt.net

the hacker nowadays is getting smart so we need get to smart too

I don't see the dapps wallet connection as a threat to wallets. I have connected my wallet to dapps wallet on several occasions, and am yet to see or hear such a thing happen. Although sh*t does happen in crypto when we less expect it.
 
In other words, for you to be on the safe side, create a new wallet or use a preferable wallet that doesn't have any funds inside to connect to the dapps wallet.

I am not sure if it's Chrome or Metamask who have the feature of logging it out automatically once the browser is closed or if you are not making any transactions for hours.
Honestly, I was a bit irritated by logging in every time I open my computer but it was a good security measure made by them.
I haven't tried logging in yet with a Dapp.
Was the experience of your friend from a stand-alone application that is being installed on the computer?

The dapps itself is the one being dangerous and not the length of connection because your will be safe even if you connect for a long time if the dapps itself is trusted and doesn’t experience any security breached.

Hacker can only exploit all connected wallet if they have access on the dapps itself which is the same scenario on what happened before on DeFi hacks but in general connecting on trusted dapps will not gonna harm your balance inside your wallet. You are lucky that you didn’t have any experience connecting your wallet on shady website.

I had this trouble before, there was a period where I was too much interested in defi projects and I was part of too many of them, lesson learned of course and I did not after a while but lost a good chunk there.

During that time I was interested in so many of them and connected so many of them (even ones I didn't invested into) that after a while I got a warning that someone tried funny stff with my address, eventually I used unrekt to make sure that I do not have any connection to any defi or actually anything that I wasn't using constantly. After I removed them, the warnings stopped and to be fair I do not have any money left on my metamask neither.

That is so true, most of these dapps will connect our wallet to are not secured enough to protect our wallet, so am in agreement with always disconnect our wallet from any dapp site immediately we are done with transaction.

And also it is important to have separate wallet for airdrop and giveaways because most of them are the reason users get hacked, if anyone must participate in this airdrops, it is better to use a different wallet from amin wallet that don't hold much funds. Better to be safe than be sorry.

It does make sense, allowing these Dapps to access our wallet and enable them to do transfers can possibly be exploited by hackers.  Maybe your friend @OP has his wallet connected to a Dapps that has some nefarious-minded developer or somewhere in between the connections, a hacker gain access through authorizing their connections.

This is a good reminder to us that we shouldn't leave our connection open to any Dapps out there and have the practice of locking the wallet after usage.

This is valuable information for newcomers. Also note that you should never forget to check all the details before authorizing any transaction in your Metamask. Also note that an incoming transaction to your Metamask address does not require any action. After using Metamask, I always disable connected Dapps under "Connected Sites".

in my personal experience in terms of connecting wallets with various sites or Dapps have never experienced any hacking until now. and I have never disconnected from any Dapp I once connected. so in your friend's case I don't think it's because of the wallet's relationship with one of the Dapps but it's purely your friend's fault. because hackers set traps wherever they think they can take someone else's wallet.

There is no technical conclusive proof about the stories, whether it is caused by the user's negligence or simply because of a hack. But wallet condition affects how an attacker could access your funds, in this case, a hack that might be caused by token approval is still possible. As I have said before in this thread, there is a difference about disconnecting the wallet.

In fact, it is the reason why there exists a platform that checks users' smart contract allowances/token approval, it could be used for mitigation or as a self assessment of user risk.

Disconnect only is not enough for your wallet safety because third party platform have been connected in your wallet need to revoke to cut with all connecting before, usually I don't use main wallet connecting with new airdrop project or some spent all my fund to main wallet don't use for connecting with 3rd party platform. Last time I connected with new 3rd party site and have domain xyz seem not trusted, but give worth reward trough old wallet used active on trade several dapp exchange, after claiming reward revoke with this connecting and later disconnect in metamask setting site.

usually before we connect we need to read how the dapps work usually just look at the wallet address and some that I think are safe, maybe if we connect and are asked to enter the private key it may be a different story, it is also impossible for the connected metamask to show the private key because every process connected and transactions require manual signatures so it is very difficult for thieves to see our private keys, make sure we really access the site correctly and when doing a signature need to read what needs to be approved before signing, so if this is the case the thief can see the key Personally, of course, many wallets have lost their coins

Be careful out there with your wallets. I wish i knew this earlier, i left my wallet connected to this fake website and my balance was gone before i knew it. I reached out to their customer support but got no response so i spoke to a tech friend about it, he recommended team of hackers (the vaultech team) who facilitated the recovery of my ETH. Do not click any link sent to you, do not connect your wallet to websites that are not legit. There are too much strategic scams out there. If you have lost your crypto in any way, report your case to  vaultechservices @ protonmail . com for a possible  recovery before its too late.