I just fell to a scam, which is described here: Signature phishing | MetaMask Help Center 🦊♥️
I want to raise attention to the fact that nobody usually reads docs, even though I do it usually, but then people just forget. So what’s better is to implement docs into the user experience itself! Especially in cases like this, where it seems to be easy to implement better warnings (red triangle, “Shure you want to continue?”, “Could be a scam [Link to article]”, etc.).
The information from the above mentioned article should be part of the dialog box that MetaMask presents to the user á la “Be careful, message signing is not only for logins, but can also initiate unwanted transactions!”.
Users are trained by example to these signature request popups being legit, since on all the legit platforms this is the regular popup to just sign up or login (without triggering malicious transactions), so it is easily being interpreted as “This popup always means just login, no transfer of funds”. This trained behaviour is exactly what scammers abuse.
MetaMask in that regard just makes it too easy for scammers to scam, without presenting strong warnings and information about the consequences (i.e. “triggering unwanted outgoing transactions” and “loss of funds”). I just noticed a few topics about that. I’m not the only one falling for this.
I reported this to a support member named “Shaggy”. He asked me to report my issue to this forum, so here I am.
Btw. Binance has implemented warnings like this and takes even a much stricter approch. In their web3 wallet (not a big fan of their wallet, since it’s still custodial), they even block these message signing actions (might have a whitelist for trusted 3rd parties). I haven’t tested it, just want to add that there are even stronger approaches out there to prevent this type of scam. I thought I am very scam resistant, but it seems everybody has weaknesses under particular circumstances.
I want to encourage the MetaMask developers to rethink their approach of handling user security in the MetaMask frontend. To me it seems the strategy is “This is a non-custodial wallet, so the user is solely responsible and we don’t need to take care.” My point is “You are right, but MetaMask makes it too easy for scammers to scam with a frontend design strategy like this.” → In the long run this might hurt the user base of MetaMask.
There might also be other parts of the user experience, where the UI could warn the user more about consequences. I. e. many other topics talk about backups not containing all private keys that a user wanted to be backed up, when he used backup functionalities of MetaMask.
in this case let’s move this awesome post to the feature request section, rest assured we will share your feedback with the team 