Don't keep connected your wallet to a Dapps for a long time.

[The Cryptovator]

Often we need to connect wallet third-party sites for various reasons. We should always ignore connecting our wallet to an unknown and unsafe site. That's how your wallet would be drained. One of my known person's wallets has been hacked a few days back. Then he contacts Metamask about how it has happened. They said the metamask was connected to a couple of sites for a long time and users didn't disconnect wallets. Hackers took this advantage and take control of full wallets. So funds have been drained from all the addresses. Metamask doesn't disclose which Dapps and how happened.

I learned from him that we shouldn't keep connected any Dapps for a long time. It would drain wallet funds after a certain period. Always disconnect your wallet even if you connect for any reason. Don't just leave it as it is. Hackers have powerful tools to trace you and drain your wallet. Don't give that chance.

[1714202809]

1714202809

[1714202809]

1714202809

[1714202809]

1714202809

[Upgrade00]

I've recently read news about how third party sites and Dapps pose a security threat to wallet owners.

Ideally we should never give 3rd party platforms access to our financial or personal details (KYC). But if you must, it should be for a short period of time, and only limited to certain platforms.

[jackg]

Just keeping your wallet connected to a dapp/website won't do this, you'd also have to click to sign or authorise a transaction too.

I think this is the bit that could become the more problematic part as it's possible to sign transactions that look weird when doing things like buying an nft (a lot of gaming marketplaces ask you to sign a transaction that confirms spending up to a certain amount rather than an exact amount and I think this is the bit that might be able to catch people out if they're using a scammy platform - especially if it's not broadcast straight away or the smart contract can come with a delay for funds being taken).

[The Cryptovator]

Just keeping your wallet connected to a dapp/website won't do this, you'd also have to click to sign or authorise a transaction too.

I thought the same as you. Also, victims thought the same things. But connect a long time is harmful. According to metamask seed would be compromised this way where you don't need to approve from your wallet. The victim is pretty sure the device hasn't been hacked. If a transaction happens from the device then there should be a history on the wallet. But nothing, only history funds on the chain.

[vv181]

There is a distinction between disconnecting a wallet and removing the token approval. Disconnecting it from some platform hardly does thing for security, but the latter is suggested. The essence is connecting the wallet into a platform won't make it viable to hack, but if you were interacting with a shady/unknown smart contract, it likely increases the risk, even if the issue didn't raise in the meantime.

Metamask blog covers those things nicely: Disconnect wallet from a dapp and What is a token approval?

[coupable]

When we leave our hot wallets constantly connected to apps, it poses a greater risk than keeping our savings on centralized platforms. Unfortunately, beginners do not realize how much risk they are taking just because they have not been exposed to any accident. Most of them do not follow the news of the cases of sepsis that occur almost daily.
The most that I can recommend is to keep your money in a cold wallet and use the hot wallet to perform short operations only and then transfer it back to your cold wallet if you do not want to disconnect the wallet from the applications you use .

[khaled0111]

I agree with jackg. Connecting metamask to a dApp shouldn't pose any risk. Metamask isn't supposed to share your wallet seed or private keys with the website it's connected to and you need to manually sign the transaction by clicking the sign button so it gets broadcast.

If the dApp can access your seed (although I doubt it) then this is a critical vulnerability and metamask team should've patched it since they are aware of its existence!

[jackg]

I thought the same as you. Also, victims thought the same things. But connect a long time is harmful. According to metamask seed would be compromised this way where you don't need to approve from your wallet. The victim is pretty sure the device hasn't been hacked. If a transaction happens from the device then there should be a history on the wallet. But nothing, only history funds on the chain.

If this was the case there'd be more scams of this nature. I now think the person has put their seed in on a different website or installed a fake version of metamask - this shouldn't happen without them signing a transaction. It's possible malicious code was put in by the website and signed by the user without them knowing too but I doubt metamask gives away the seed as that'd have been discovered a long time ago.

Also a transaction history not being available on metamask but on the blockchain is more evidence that the wallet is malware because what reason would metamask have to not show you that transaction?

[OcTradism]

Disconnect to dApp when you done your work and revoke smart contract access when you finish a transaction you want.

I use this site when I need to revoke Smart contract allowance https://app.unrekt.net/

Sometimes, hackers also change filters in your email and you will not aware notification emails about suspicious activities with your email and related accounts.

[cryptoaddictchie]

Just keeping your wallet connected to a dapp/website won't do this, you'd also have to click to sign or authorise a transaction too.

I also believed on this. Unless the dapp have a trick front end statement "connect your wallet to our app" ( but actually that transaction is accepting the transaction confirmation already. Well the users must have gone two to three connection to the dapp without him noticed and thats the reason maybe of the hacked.

The victim is pretty sure the device hasn't been hacked. If a transaction happens from the device then there should be a history on the wallet. But nothing, only history funds on the chain.

Probably a highly tricked system. Some tech have capacity to hide some meta transaction data, in a transaction. So highly possible that the hacker is an expert and must have done a thorough process in order to execute the crime.

[libert19]

Afaik, connecting wallet doesn't give anyone access to your wallet, any transaction would have to go through you only, unless dapp was given 'approve all' permission.

[The Cryptovator]

Afaik, connecting wallet doesn't give anyone access to your wallet, any transaction would have to go through you only, unless dapp was given 'approve all' permission.

Often we don't read what is the permission actually and we approved it. Keep in mind hackers are too advanced than us and know all the loopholes. So there must something that they can reveal your seed and how they move funds from all the addresses. The most likely seed would be compromised after a certain period when wallet keeps connect for a long time.

[348Judah]

Afaik, connecting wallet doesn't give anyone access to your wallet, any transaction would have to go through you only, unless dapp was given 'approve all' permission.

I think once it comes to matters related to hacking then we can't predict the extent to which these people canngo just to succeed in their attempts, remember one has to make some downloads and there's jo guarantee that through that they can't infiltrate into ones system, just by ordinary click on a picture can mean alot in giving an access unknowingly to a malicious Attack, some messages can pop up on dapp and any click on such can mean aloy as well, hackers can't be predicted

[libert19]

Afaik, connecting wallet doesn't give anyone access to your wallet, any transaction would have to go through you only, unless dapp was given 'approve all' permission.

...The most likely seed would be compromised after a certain period when wallet keeps connect for a long time...

That seems unlikely just because you connected wallet. Will change my opinion whenever a drain occurs just because of it.

[cheezcarls]

Often we need to connect wallet third-party sites for various reasons. We should always ignore connecting our wallet to an unknown and unsafe site. That's how your wallet would be drained. One of my known person's wallets has been hacked a few days back. Then he contacts Metamask about how it has happened. They said the metamask was connected to a couple of sites for a long time and users didn't disconnect wallets. Hackers took this advantage and take control of full wallets. So funds have been drained from all the addresses. Metamask doesn't disclose which Dapps and how happened.

I learned from him that we shouldn't keep connected any Dapps for a long time. It would drain wallet funds after a certain period. Always disconnect your wallet even if you connect for any reason. Don't just leave it as it is. Hackers have powerful tools to trace you and drain your wallet. Don't give that chance.

Not just that I disconnect my wallets after connecting to Dapps, but I also revoking permissions as well. This would ensure everything that my wallet is safe. No matter if I am using desktop or mobile, it is important in doing these steps so that my wallet will not be compromised.

But still, it will remain vulnerable once we don’t have any antivirus installed in our respective devices once we are not careful in clicking or downloading anything like what happened to me months ago about getting my wallets drained worth $12k+ in total.

[Hyphen(-)]

I learned from him that we shouldn't keep connected any Dapps for a long time. It would drain wallet funds after a certain period. Always disconnect your wallet even if you connect for any reason. Don't just leave it as it is. Hackers have powerful tools to trace you and drain your wallet. Don't give that chance.

Thank you for providing this information. OP, I have a wallet that has been connected to my trust wallet Dapp for more than five months now, and I never considered disconnecting the wallet, but after reading this post, I will do so immediately, and I will reconnect the wallet whenever I need it.
What about the wallet created on Metamask, which is directly linked to their Dapps?
Is there a need for disconnect as well?

[Crypt0Gore]

I learned from him that we shouldn't keep connected any Dapps for a long time. It would drain wallet funds after a certain period. Always disconnect your wallet even if you connect for any reason. Don't just leave it as it is. Hackers have powerful tools to trace you and drain your wallet. Don't give that chance.

Thank you for providing this information. OP, I have a wallet that has been connected to my trust wallet Dapp for more than five months now, and I never considered disconnecting the wallet, but after reading this post, I will do so immediately, and I will reconnect the wallet whenever I need it.
What about the wallet created on Metamask, which is directly linked to their Dapps?
Is there a need for disconnect as well?

That's very bad of you, imagine a bad actor been part of the team of that platform you left your account connected to, they would have stole your funds mate, as a trust wallet user always disconnect your wallet after few transactions has been done.

[_BlackStar]

One of my known person's wallets has been hacked a few days back. Then he contacts Metamask about how it has happened. They said the metamask was connected to a couple of sites for a long time and users didn't disconnect wallets.

I'm sorry to hear that, but it really was user error. Your friend may not know how to keep his funds safe or maybe he trusts the platform too much for his funds. We have heard a lot of suggestions that any platform is not a safe place to store funds, connect wallet at one platform without disconnecting after completing trade is a fatal mistake.

I don't blame hackers in this because someone forgot about the responsibility for his funds especially about the security of his funds and wallet. Of course this will be a good lesson not to repeat the same mistakes in the future. But by the way, have you warned him?

I learned from him that we shouldn't keep connected any Dapps for a long time. It would drain wallet funds after a certain period. Always disconnect your wallet even if you connect for any reason. Don't just leave it as it is. Hackers have powerful tools to trace you and drain your wallet. Don't give that chance.

Crime can be committed when the opportunity arises, so we should be responsibility to close all loopholes from scammers.

[kamvreto]

Some of my friends also experienced this kind of thing which would certainly harm them and the tokens in their wallets were drained out. some valuable tokens become the main target.
this happens because of connecting the wallet with lots of Dapps and then leaving it alone. Airdrops also use Dapps and the main suspect who stole my friend's assets was from several airdrops that were followed on condition that they connect with their Dapps and make several claims of aiddrop tokens, it's just a trap so that the wallet is connected and has full access.

To overcome this, it is better to check your wallet with the website https://app.unrekt.net/ ,
and there you will see all the wallet connections that have been made and can revoke.

Support for Network ETH-BSC-AVAX-FTM-MATIC-HECO-CRONOS-MOONBEAM-ASTAR-DOGECHAIN

[Myleschetty]

Just keeping your wallet connected to a dapp/website won't do this, you'd also have to click to sign or authorise a transaction too.

I thought the same as you. Also, victims thought the same things. But connect a long time is harmful. According to metamask seed would be compromised this way where you don't need to approve from your wallet. The victim is pretty sure the device hasn't been hacked. If a transaction happens from the device then there should be a history on the wallet. But nothing, only history funds on the chain.

As pointed out that the dApp or website will need the wallet owner to authorize a transaction before can it be executed? I think people are missing the point here that there's a vulnerability found in some certain old version MetaMask through which they can steal a wallet passphrase and the person that still make use of the Metamask version will believe its because he contacted his wallet to a dApp or website.
 I once created a thread about this but people didn't take it seriously.