Critical Security Flaws in MetaMask: My $500 USDC Was Stolen

My Review of MetaMask Support: Negligence and Shifting Responsibility

I want to express my extreme disappointment with MetaMask’s support team. My 500 USDC was stolen due to a vulnerability in your system—a token approval I signed 40 days ago. Yet:

1. I never authorized this specific transfer.
2. The transaction didn’t even appear in my history (which is odd for a “transparent” blockchain).
3. Support refused to acknowledge the issue, simply stating, “This isn’t a bank” and “It’s all on you.”

Where MetaMask Is at Fault

1. Unclear Approvals Without Warnings

• Why was a single approval from 40 days ago enough for a scammer to steal my USDC at any time?
• On exchanges (like Binance), every withdrawal requires two-factor authentication. Why don’t you have even basic security measures?

2. Support’s Inaction

• Instead of helping, they repeated 10 times that “transactions are irreversible.”
• No one said: “Yes, this is a problem, and we’re working on a fix.” Instead, it was just: “It’s your fault for trusting scammers.”

3. Profiting from Fees While Ignoring Security

• MetaMask earns fees from transactions but doesn’t invest in user protection.
• Why is there no automatic screening for suspicious approvals? Why can’t you add per-transaction confirmations?

What MetaMask Needs to Do

1. Fix the Approval System

• Make approvals time-limited (e.g., valid for only 24 hours).
• Require confirmation for every transfer, even if an approval exists.

2. Improve Customer Support

• Don’t just say “Report it to the police”—actually help track scammers.
• Create a compensation fund for hack victims (if you take fees, you should take responsibility for risks).

3. Be Honest with Users

• If MetaMask doesn’t guarantee security, this should be stated in bold letters during setup.

Final Thoughts

I lost $500 because of a flaw in MetaMask’s security, and support just shrugged and told me to “be more careful.” If you don’t want to be the next victim, think twice before storing money here.

MetaMask, it’s time to take responsibility for your platform.

Hi @dleonk and first of all sorry to hear about the unfortunate situation.
MetaMask being a self custodial wallet implies that you are in full custody of the wallet, so keeping evidence of what token approvals you sign/ revoking them/ being careful what you sign and don’t sign is something that you need to do. We have the knowledge base
( Protect yourself | MetaMask Help Center ) and the learn platform ( https://learn.metamask.io/ ) I’d recommend going over these when you have some time as they go deeper into what MetaMask can and can’t do in these situations as well as explaining the concept of a self custodial wallet which again plays into what MetaMask can/ can’t do. If you’ve signed the token approval you don’t need to further authorize a transfer for those specific tokens to be able to be taken as that’s how the token approvals work. (Good practice to revoke them after some time/ after interacting with something) If you signed a token approval for unlimited USDC that’s enough for them to take your entire USDC.
Regarding the two-factor authenticator that feature wouldn’t really work with MetaMask’s self custodial model, this article explains it very well When two-factor authentication? | MetaMask Help Center. On the topic of tokens approvals this article explains it in detail What is a token approval? | MetaMask Help Center. MetaMask being a self custodial wallet and you being in full custody of it implies that you need to do your own research as well to make sure you’re doing everything correctly. Always be careful who and what you interact with online and always do your own research before doing anything.
I feel compassionate for the unfortunate situation.