Late Saturday, July 16, the NFT access list solution platform Premint was hacked. The scam consisted of a false raffle that prompted users to sign a MetaMask transaction giving hackers permission to access all assets. As a result, nearly $400k USD in digital assets were stolen.

Last night, a file was manipulated on PREMINT by an unknown third party that led to users being presented with a wallet connection that was malicious.

— PREMINT | NFT Access List Tool (@PREMINT_NFT) July 17, 2022

Among the assets were NFTs from popular projects like the Bored Ape Yacht Club, Moonbirds, Doodles, VeeFriends, and more. The raffle page itself looked like any other you might find when using Premint — however, the transaction required to sign is where users were taken advantage of.

Twitter communities acted as quickly as they could the night of the hack, to warn their users and advised any who might have signed the transaction to use revoke.cash, a site that disconnects wallets and associated permissions from potentially malicious platforms.

As a result of the compromise, discussions surrounding user experience (UX) and user interfaces (UI) were sparked. As of now, the steps to sign a transaction on MetaMask that gives the requester permission to access all digital assets in a user’s wallet looks the same as any other transaction.

In a tweet regarding this issue, Premint’s CEO Brenden Mulligan called out the UI issue and later said he would be willing to work with MetaMask to develop a better experience.

Isn’t it kind of crazy that Metamask doesn’t display a giant red warning when a contract is requesting “Set Approval for All”? (used by wallet drainers)

It should be nearly impossible to accept that request. Instead, it looks identical to a normal request.

5 minute mock: pic.twitter.com/kHDm5XHX0t

— BrendΞn Mulligan | PREMINT (@mulligan) July 16, 2022

With the lack of a built-in warning system on dapps like MetaMask and UniSwap a few independent coders in the Web3 community have taken it upon themselves to build an extension that does exactly that. Web3 engineers Nish and Justin Phu have built what they’re calling PocketUniverse — an extension that gives retail users clear warnings of scams and potentially malicious transactions.

@Uniswap LP phishing scam – $4.7m stolen on the first day.

We show you that they’re trying to steal your LP NFTs pic.twitter.com/W6gjkPzvIy

— nish (@nishthenomad) July 17, 2022

The question from the broader community is not if better UI is needed, but when will it be provided. It is becoming increasingly clear that for Web3 adoption to expand, less technical UX and UI will be required.

At the time of writing, Premint said it is investigating the situation further but has not provided any updates beyond that. To put consumer worries to rest, the platform has implemented a sign-in function that does not require the linking of any wallet.

In other news, RTFKT x Nike’s AR hoodie is set to launch this week.