[Bug]: DDoS of custom Infura Endpoint for Arbitrum Sepolia

[REPTILEHAUS]

Read my update below, it is related to just 1 account and not just infura but any Arbitrum RPC

Describe the bug

Ive built a dApp which interacts with Arbitrum and i noticed that a simple contract interaction results in 429 errors, the errors do not originate in my dApp.

I open MM in developer view and i can see over ~1750 RPC calls to my infura, it appears to be calls for each wallet i have in my MM to update balances and other information but the sheer volume makes is so that I cannot interact with the blockchain and Infura rate limits are hit.

I have also tried with other RPC providers for Arbitrum Sepolia and they have the same behaviour (see attached screenshot).

This issue and number of RPC calls occurs every time I open metamask and it is connected to a Arbitrum Sepolia RPC

On the contrast when I open mainnet ETH theres about ~20 RPC calls

Expected behavior

I more reasonable number of rpc calls that dont ddos my account

Screenshots/Recordings

Steps to reproduce

1 Add a custom RPC for arbitrum sepolia
2 check metamask extension network requests
3 try interact with a contract

Error messages or log output

sent in screenshot

Detection stage

In production (default)

Version

12.9.3

Build type

None

Browser

Chrome

Operating system

MacOS

Hardware wallet

No response

Additional context

No response

Severity

• Extremely critical as I cannot test contract interactions for a release
• Yes it is visible to our test users

[REPTILEHAUS]

Update: I had a chance to look into this more after the xmas break. Basically this issue is related to 1 of my accounts, which is an account i have used for many transactions and it has over 1000 NFTs associated with it, from what i can tell when i switch to this account Metamask is making between 1000 and 7000 RPC calls to the given endpoint (in this case Arbitrum Sepolia).

I analysed the network har file and i can see a crazy amount of eth_call requests basically calling the supportsInterface and the safeTransferFrom methodd for every single NFT associated with my wallet

Surely there should be some kind of pagination so that when you connect an account it does not fetch every NFT and its metadata + every single transaction you have ever made ? Could we not just show an accordion of the NFT collection and clicking on it will display the NFTs and do the eth_call request

on the back of the 429 errors then there is also about 100 app-init.js fetch's after all the RPC calls fail (rate limited ofc)

I can provide you with the dev tools networking export .har file if you want to investigate this and just FYI the issue does not exist with Rabby wallet, ledger etc just MM

[sahar-fehri]

Hi @REPTILEHAUS 👋
Thank you for reaching out!
Could you provide a video showing the network tab + the interactions you make with the app that result in this behavior?
The networking export would be helpful too 🙏

[REPTILEHAUS]

Hi @sahar-fehri Sure no problem, how do you want me to send the video and the network export ? It needs to be an official metamask email address for obvious reasons.

[sahar-fehri]

Hi @REPTILEHAUS , i have tried your project locally and was not able to repro the excessive amount of requests you were seeing; could you send the video and network export to this email

[REPTILEHAUS]

@sahar-fehri I have responded via email now thank you