The function 'setApprovalForAll' assigns or revokes the full approval rights to a given operator.
The two scenarios above are different; one is on a legitimate site, and another is on a scam site that looks completely different. But what if the scam site looked exactly like the legitimate site?
A very expensive NFT is about to release staking. All its owners are waiting anxiously to stake. To prepare its users, the project releases the site and a tutorial on how to stake. The site will become active in 24 hours.
Suddenly, there is an announcement on Discord. It's out of the original plans and tells people to stake fast for maximum rewards. FOMO kicks in, and users rush to the site.
It looks identical to the legitimate one, it works exactly like the tutorial shows, but the URL is different. The Discord has been breached, and scammers have shared a link that drains users' wallets, specifically NFTs from the project.
Like the two MetaMask prompts in the previous examples, the wallet request seems legitimate. It asks to 'Allow access to and transfer of all your <expensiveNFT>.'
Users without any Web3 security solution that don't realize the URL is malicious lose their expensive NFTs. What about users with a Web3 security solution that simulates/translates the transaction?
They will be presented with a simulation/transaction that tells them they are giving permission for their expensive NFT. Nothing will be suspicious about it because the simulation/transaction is correct. They will lose their expensive NFTs.
