Seaport Dutch Auction balance spoofing — MetaMask Signature Insights API

Working PoC for HackerOne report. Demonstrates the wallet UI rendering only startAmount while users actually approve up to endAmount.

Security research artifact. This page exists solely as a working demo for MetaMask's HackerOne triage team. It only requests off-chain signatures via eth_signTypedData_v4 — nothing is broadcast on-chain by this page. Use a fresh, empty MetaMask profile when testing. Reject every signature after observing the popup.

Not connected.

Attack 1

Bid escalation — 100,000× understatement

Seaport bid on BAYC #1234. Offer is WETH with startAmount = 0.001 and endAmount = 100. Attacker fills near endTime.

What MetaMask will display

BIDDING 0.001 WETH

From signature-insights response — amount = 1e15 wei.

What you actually approve

up to 100 WETH (~$300,000)

Hidden endAmount = 100e18 wei never reaches the popup.

Attack 2

Listing drain — NFT sold for ~$0

Seaport listing of BAYC #5678. Consideration WETH with startAmount = 50 and endAmount = 1 wei. Attacker fills near endTime.

What MetaMask will display

RECEIVE 50 WETH

API returns amount = 50e18 in the RECEIVE state change.

What you actually receive

1 wei (~$0)

Hidden endAmount = 1.

Attack 3

USDC variant — 1 USDC shown, 1B USDC actual

Seaport bid on BAYC #9999. Offer is USDC with startAmount = 1 USDC and endAmount = 1,000,000,000 USDC.

What MetaMask will display

BIDDING 1 USDC

API returns amount = 1_000_000 (6-decimal USDC).

What you actually approve

up to 1,000,000,000 USDC

Hidden endAmount = 1e15.

Control

Non-Dutch order — startAmount === endAmount

Baseline. The API renders this correctly because there is no Dutch curve to ignore.

What MetaMask will display

BIDDING 5 WETH

What you actually approve

5 WETH

Matches — no spoofing possible without a price curve.

Reproduction notes for triage:

Connect MetaMask Extension on any chain (typed data carries chainId from the wallet).
Click Trigger eth_signTypedData_v4. MetaMask will pop up its decoded balance-change UI for Seaport OrderComponents.
Observe the displayed amount. Expand the Message tree below it — the hidden endAmount is present in the raw typed data but not surfaced in the simulation.
Reject every signature. The signatures from the bid/listing scenarios are valid Seaport orders if signed; never approve from a funded wallet.
The Show API response button bypasses MetaMask and POSTs directly to signature-insights.api.cx.metamask.io/v1/signature?chainId=1 so you can confirm endAmount is silently dropped server-side.