'Is it possible to connect someone else's MetaMask account?
I've been told that signing a message on a Dapp is the only way to prove that you actually own the account you are connecting with (i.e., simply connecting your wallet isn't enough because someone could just send a backend call that uses someone else's wallet).
However, I'm having a tough time understanding how that would work. If I look at libraries like web3modal, web3react, and web3-onboard, they all just use a function like connect() to open up someone's injected wallet in their browser. Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?
Solution 1:[1]
Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?
You can pass whatever data from the client to the backend or blockchain. If you do not sign the data there is not any kind of verification you own the data.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Mikko Ohtamaa |