Understanding Metamask sign messages
Here's a quick guide to the components of a typical sign message. Know what you sign & save yourself from wallet scams!
As NFT traders, you’ve probably signed numerous crypto transactions. But do you remember to look at the sign message before giving away your digital assets?
Recent trends and mint scams have demonstrated that traders must exercise greater caution than ever when dealing with blockchain transactions. It is not enough to employ the finest wallets; you must actively take action to protect your crypto from geeky degen hackers attempting to steal your ETH load.
Reading a sign message is just as crucial as reading an insurance policy before signing it. However, we recognize that it can be a pain to go through pages and pages of official documentation and make sense of the crypto jargon they casually throw at you. So here's a quick overview of the contents of a sign message, and a typical token approval.
Contents of a typical send transaction
We'll use Metamask as our example because it's the most popular choice among NFT traders. However, it can be useful to go through the specifics even if you do not own a Metamask wallet.
You must know that a sign message validates your willingness to link your wallet and/or transmit NFTs (or other cryptocurrencies) to a third party. And any blockchain transaction includes multiple parameters, but sign messages only show the ones that are necessary. Although MetaMask handles the transaction parameters for you, it's a good idea to understand what each parameter does.
Gas Price and Gas limit
If you've dabbled in NFTs and crypto, you're well aware that gas pricing and gas battles may drain your crypto wallet. Although layer 2 networks often have constant gas costs (or no gas price at all), it is essential to ensure that your gas price and limit match what you are willing to pay.
Remember that the gas limit is the maximum price you agree to pay for your transaction and that it can be modified in Metamask's 'advanced gas controls' panel. The edit panel also allows you to alter the ‘max priority fee' that users pay to encourage the validator to prioritize their transactions.
This field typically provides the recipient's hex-encoded Ethereum address. Double-check to make sure it is right. Contract-creation transactions do not have a 'to' address.
This mysterious-looking value makes sure that your transaction is processed only once by the blockchain. The term is ironically derived from the word ‘nonsense’ (forgive the devs, we all go wrong with the naming sometimes).
Transactions are always processed in order for a given account, and application developers usually do not have access to customizing the nonce of transactions. In fact, users can actually customize a nonce value to speed up or cancel transactions.
This field includes the hex-encoded value of the amount you need to transmit (in the currency of the network). On Mainnet, for example, this is ether, which is denominated in wei.
Metamask connects to one network at a time, and the Chain ID displays the users' current selected network. This parameter isn’t important right now, but it will be required if the wallet can connect to multiple networks at once. You will need to then make sure that you are transferring ETH to the right network.
There is an additional ‘data’ field in a send transaction that becomes relevant only if you are involving yourself in contract creation. Make sure you understand all of the fields on the transaction confirmation and DYOR if there are any additional fields you don't understand or messages that don't normally show on such transactions.
Now, let's move on to the other kinds of wallet permissions.
Understanding wallet permissions
Even if you are the finest NFT trader among your peers, you might unknowingly give away access to your tokens in your wallet permissions, which might result in the loss of all your crypto. It's critical to understand wallet permissions when connecting to various web3 apps. We are skipping the talk around public and private keys because you already know better than emailing away your private key to an NFT scammer.
When you connect your wallet to a Dapp (say a new marketplace you are excited about or Etherscan for instance) for the first time, the site usually requests permission to retrieve your wallet address.
To engage with a dApp's smart contract further, you are prompted for token approvals.
Token approvals entail granting the dApp access to your token balance and, in some cases, consenting to authorize the contract to make a transaction on your behalf. Because such rights are typically requested just once, it is vital to examine them thoroughly and not authorize tokens unless you are familiar with their functionality. You can always click on ‘Edit permission’ and limit the amount that can be controlled by the dApp.
You can also check the sites you are connected with from the ‘Connected sites’ dropdown option on the wallet. Etherscan's token approvals checker also lets you revoke token approvals (there are alternatives to Etherscan like Revoke and TAC).
In any event, before providing such permits to projects you are unaware of, you must check your transactions and conduct a thorough investigation. Before authorizing a dApp's smart contract, always investigate its credentials and ensure that it is trustworthy.
Follow us on Twitter for the latest Alpha on new NFT projects.
Join us on Discord to be a part of the RoverX community and BUIDL roverx.io with us!
Check out roverX on Medium or subscribe to us on Mirror.xyz for insights into the world of Ethereum, NFTs, and web3.