MetaMask Ice-Phishing and EIP-712 Signature Scams
Ice-phishing attacks trick MetaMask users into signing transactions that grant attackers permission to drain their tokens — without ever stealing the seed phrase. The wallet key remains intact while assets are lost.
Part of: Ice Phishing and EIP-712 Signature Scams
Last reviewed: 7 June 2026
Ice phishing is a form of attack unique to Web3 wallets. Rather than stealing private keys or seed phrases, it tricks the user into voluntarily granting spending authority over their tokens to an attacker's address. From the perspective of the blockchain, the transaction looks entirely legitimate — the user signed it themselves.
MetaMask is the primary target for ice-phishing because it is the dominant Web3 wallet for interacting with Ethereum-compatible protocols. When a user visits a DeFi site, NFT marketplace, or token-claiming page, MetaMask presents a signature request. Most users are accustomed to clicking 'Confirm' to proceed, creating an opportunity for attackers to embed malicious approval parameters in what looks like a standard request.
EIP-712 is the Ethereum standard for structured, human-readable signatures. Legitimate dApps use it to display understandable text in MetaMask's confirmation window. Attackers abuse it by making the visible portion look harmless while the underlying permission grants broad spending rights. MetaMask has added warnings for unusual approvals, but users need to read every confirmation carefully.
How this scam works on the MetaMask brand
A user is directed to a fake NFT drop or token-claim site via social media, Discord, or email. When they click 'Claim Airdrop,' MetaMask opens a signature request. The window shows the site's name and some technical text. The user clicks 'Sign,' thinking this is a normal wallet connection. In reality, the parameters included `setApprovalForAll` (granting approval for all tokens in a collection) or an ERC-20 approval for an unlimited amount — giving the attacker's contract authority to transfer the victim's assets.
Another vector involves compromised or malicious Ethereum smart contracts. A fake 'security update' for a well-known DeFi protocol prompts users to approve a new contract. The approval interface mimics MetaMask's design but is generated by a malicious dApp front-end.
The real MetaMask extension now flags high-risk approvals with warning banners and shows the specific permissions being granted. A signature request that includes 'Approve all' or an unlimited spending amount for a contract you do not recognize is a significant red flag. Legitimate dApps typically request approval only for the specific amount needed for a single transaction.
Common red flags
- A MetaMask signature request granting 'setApprovalForAll' to a contract you do not recognize
- An ERC-20 approval request for an unlimited or very large token amount from a new site
- A 'Permit' or EIP-712 signature request from a site you arrived at via a DM or social-media link
- The dApp URL differs slightly from the legitimate protocol (e.g., uniswap-official[.]io vs uniswap.org)
- A pop-up claiming you need to sign to 'migrate,' 'update,' or 'restore' your wallet
- MetaMask displays a warning banner saying the approval is unusual or high-risk
How to protect yourself
- Read every MetaMask transaction confirmation in full — check the contract address, approval amount, and permissions granted
- Never approve 'setApprovalForAll' unless you are certain you are interacting with the genuine, audited contract
- Use Revoke.cash or Etherscan Token Approvals periodically to remove approvals you no longer need
- Verify dApp URLs carefully before connecting — bookmark official protocol URLs and use only those bookmarks
- Enable MetaMask's built-in phishing detection and keep the extension updated
- For large holdings, use a hardware wallet as a signing layer so every approval requires physical confirmation
How to report it
- Report the malicious dApp URL to MetaMask at support.metamask.io
- Report to IC3.gov (US) or your national cybercrime body
- Alert the legitimate protocol community (Discord, Twitter) so others can be warned
- Submit the phishing domain to Google Safe Browsing
Frequently asked questions
What is the difference between ice phishing and seed-phrase phishing?
Seed-phrase phishing steals your wallet's private key entirely. Ice phishing does not — your key remains with you. Instead, it tricks you into giving a third-party contract permission to move specific tokens, which the attacker then exercises.
How do I check what approvals my wallet has given?
Visit Revoke.cash or Etherscan's token approval checker, connect your MetaMask wallet (read-only is safe), and review the list. Revoke any approvals you do not recognise or no longer need.
Can ice-phishing affect hardware wallets?
Yes. A hardware wallet protects your seed phrase but still requires you to manually confirm transactions on the device. If you confirm a malicious approval on the hardware wallet's screen, the approval is granted just as it would be with MetaMask alone.