If you use MetaMask to store Ethereum or other crypto, listen up: security researchers just found a critical flaw that could let hackers drain your wallet without you even knowing. The good news? There’s a fix — but you need to update right now.
By Aisha Okonkwo | June 2, 2026
MetaMask is the most popular Ethereum wallet in the world, with over 30 million monthly users. Think of it as the digital equivalent of your physical wallet — it holds your crypto and lets you spend it. Now imagine someone found a way to reach into that wallet and take money out without you noticing. That’s essentially what researchers at Cypher Labs discovered.
What’s the Bug?
The vulnerability, nicknamed “SignSneak,” affects how MetaMask handles transactions — specifically when you approve a payment or interact with an app (called a “dApp”) on the Ethereum network.
Here’s the problem in plain English: when you approve a transaction in MetaMask, the wallet is supposed to show you exactly what you’re agreeing to — how much you’re sending, to whom, and what fees you’ll pay. But this bug could let attackers change those details behind the scenes. So you think you’re approving a small $10 transfer, but the actual transaction could be sending a lot more to the attacker’s wallet.
The flaw affects MetaMask versions 12.3.0 through 12.5.1 — so if you haven’t updated recently, you’re likely vulnerable. It impacts users on Chrome, Firefox, Brave browsers, and the mobile apps on both iOS and Android.
Who’s at Risk?
Security experts estimate about 10% of MetaMask users regularly do things that could expose them to this bug — like using DeFi apps (lending, trading platforms), buying NFTs, or approving token transfers. That could mean millions of dollars worth of crypto at risk.
The most at-risk users are those who:
- Regularly use decentralized apps (DeFi platforms, NFT marketplaces)
- Have recently approved token transfers
- Hold significant amounts of crypto in MetaMask
- Haven’t updated their wallet recently
The Fix Is Here — Update Now
MetaMask’s team moved fast. They released an emergency patch in version 12.5.2 that fixes the vulnerability. Here’s what the update includes:
- Better transaction checks that detect when someone tries to tamper with payment details
- Improved fee calculations that can’t be tricked
- Extra safeguards when interacting with smart contracts
- Real-time alerts for suspicious transaction patterns
“The security of our users’ assets is our absolute priority,” said Jane Smith, Head of Security at MetaMask. “We’ve worked around the clock to address this vulnerability and appreciate the responsible disclosure from Cypher Labs. We recommend all users update to the latest version immediately.”
What You Should Do Right Now
If you use MetaMask, here’s your action plan:
- 1. Update MetaMask immediately to version 12.5.2 or later. This is the most important step.
- 2. Double-check every transaction before approving it — look at the amount and the destination address carefully.
- 3. Review your recent transaction history for anything you don’t recognize.
- 4. Consider a hardware wallet (like a Ledger or Trezor) for large amounts of crypto — these keep your private keys offline where hackers can’t reach them.
- 5. Move funds to cold storage if you’ve recently used DeFi apps and want to be extra safe.
Reports suggest attackers have been actively exploiting this bug since late May 2026, targeting high-value accounts. The vulnerability was responsibly disclosed — meaning researchers found it and told MetaMask before criminals could use it widely. But that doesn’t mean no one got hit.
This is a reminder that in crypto, you are your own bank — which means you’re also your own security team. Keep your software updated, double-check what you’re approving, and never keep more than you can afford to lose in a hot wallet (a wallet connected to the internet).
The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.
30 million users and a zero day in the signing mechanism. this is why i keep telling people to use hardware wallets for anything over $500
the hardware wallet point is valid but the real issue is 10% of 30M users engaging with exploitable dApps. thats potentially 3M people exposed before the patch dropped
The SignSneak flaw is concerning but Cypher Labs and MetaMask handled the disclosure well. Emergency patch in days is better than most projects manage. Update your extensions people.
Versions 12.3.0 through 12.5.1 is a wide window. How many months was this sitting undiscovered? And they say its been exploited since late May. Not great.