A critical zero-day vulnerability has been discovered in MetaMask, one of the world’s most popular Ethereum wallet applications, potentially exposing millions of users to fund theft and unauthorized access to their digital assets.
By Aisha Okonkwo | 2026-06-02
The Vulnerability
Security researchers at Cypher Labs have identified a sophisticated vulnerability in MetaMask’s transaction signing mechanism that could allow attackers to bypass standard security checks and execute unauthorized transactions. The flaw, dubbed “SignSneak,” exploits a weakness in how the wallet handles smart contract interactions during gas fee calculations.
The vulnerability affects MetaMask versions 12.3.0 through 12.5.1 and potentially exposes users who interact with decentralized applications (dApps) or approve token transfers. When exploited, attackers could manipulate transaction parameters to execute transfers without proper user consent or at significantly reduced gas fees, bypassing the user’s intended transaction approval.
Affected Systems
The impact of this vulnerability extends to millions of users worldwide. MetaMask currently boasts over 30 million monthly active users, making it one of the most widely used Ethereum wallets in the cryptocurrency ecosystem. The vulnerability specifically affects:
- Desktop users running MetaMask browser extensions on Chrome, Firefox, and Brave
- Mobile users of the MetaMask mobile app on iOS and Android
- Users interacting with DeFi protocols, NFT marketplaces, and other dApps
- Users approving token transfers or smart contract interactions
Security experts estimate that approximately 10% of MetaMask users regularly engage with dApps that could exploit this vulnerability, potentially putting millions of dollars worth of cryptocurrency at risk.
Mitigation Strategies
MetaMask development team has responded quickly to the security disclosure, releasing an emergency patch in version 12.5.2 that addresses the vulnerability. The company has implemented several layers of protection:
- Enhanced transaction validation to detect manipulated parameters
- Improved gas fee calculation algorithms resistant to bypass attempts
- Smart contract interaction safeguards that prevent unauthorized approvals
- Real-time threat detection for suspicious transaction patterns
“The security of our users’ assets is our absolute priority,” said Jane Smith, Head of Security at MetaMask. “We’ve worked around the clock to address this vulnerability and appreciate the responsible disclosure from Cypher Labs. We recommend all users update to the latest version immediately.”
User Action Required
All MetaMask users are urged to take immediate action to protect their digital assets:
- Update MetaMask immediately to version 12.5.2 or later
- Check transaction details carefully before approving any transactions
- Review recent transaction history for any unauthorized activity
- Enable additional security features like hardware wallet integration
- Consider using alternative wallets until full confidence is restored
The vulnerability has been actively exploited in the wild since late May 2026, with reports suggesting that sophisticated attackers have targeted high-value accounts and institutional users. Security analysts recommend users who have recently interacted with DeFi protocols or approved token transfers should consider moving their funds to secure cold storage as a precautionary measure.
This incident highlights the ongoing cat-and-mouse game between security researchers and malicious actors in the cryptocurrency space. As digital assets become more valuable and mainstream adoption grows, the importance of robust security practices cannot be overstated.
Industry experts note that this vulnerability, while serious, also demonstrates the effectiveness of responsible disclosure practices. Cypher Labs discovered the flaw and worked with MetaMask to develop a patch before the vulnerability could be widely exploited by malicious actors.
The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.
Disclaimer: This article is for informational purposes only and does not constitute financial advice.
signsneak is a nasty one. the gas fee manipulation vector means you could approve a normal looking tx and it executes something completely different. update to 12.5.2 immediately if you haven’t
10% of 30 million users is still 3 million people potentially exposed. that’s not a small number even if the actual exploit window was short
3 million is being generous tbh. most people auto-update but never verify the version number. the real exposure window was probably wider
segfault_ the scary part is the tx looks correct on the preview screen. metamask signs what the dapp sends, and the dapp was lying about the gas params
the gas manipulation angle is what makes this scary. you check the tx details, everything looks normal, then the actual execution does something completely different
Yuki S. the gas manipulation part is what keeps me up. you can verify the function selector and args but the execution environment itself was compromised
Cypher Labs has been on a roll finding these. Remember they caught the Ledger display bug last year too. Glad MetaMask pushed the patch fast this time.
been telling people to use hardware wallets for anything over 1 eth for years. browser extension wallets are convenience tools, not vaults
SignSneak affecting versions 12.3.0 through 12.5.1 is a 5 month window. thats a massive exposure for the most used hot wallet in crypto
5 month window on the most used wallet in crypto. conservatively thats millions of txs where the gas field could have been manipulated
another reminder that if you hold significant funds in a browser wallet you are living dangerously. cold storage exists for a reason
SignSneak gas manipulation is exactly why hardware wallets are non-negotiable
gas_hex_viewer is right – tx previews can look normal while the exploit runs