Have you been growing your crypto bag and have a not immaterial amount of wealth in tokens?
Did you read on Twitter about some account getting ‘hacked’ and losing a material amount of wealth? Maybe you know someone personally who had crypto stolen from them?
Are you looking at your bags currently sitting on the same MetaMask wallet you started with and now you are wondering how safe the little fox icon actually is?
Fear not friend (or Fren), we will determine how risky MetaMask is in very easy to understand language.
Is MetaMask Safe?
The answer is 100%, definitively, without-a-doubt, unquestionably a solid “depends on what your definition of ‘safe’ is”.
MetaMask claims it has never been hacked, which seemingly is technically true.
But that doesn’t seem to line up with all the stories you have heard about people having their wallets cleared out or NFTs stolen. Is “oh no my MetaMask was ‘hacked’ and I lost all my coins” the newer tax avoidance strategy of ‘I lost it in a boating accident’? (Honestly, I am sure some people have tried it).
Or is MetaMask not as safe as they imply by saying they have never been hacked?
First, let’s explain MetaMask quickly for those who may not know.
Quick Background on MetaMask
MetaMask is a crypto wallet browser extension & mobile app that allows you to interact with blockchain based applications. MetaMask works on all Eth & ERC-based tokens, including NFTs.
It is open-source which allows a broad community to search for bugs or issues, in addition to its core developers. Open-source allows for many eyes on the code and a more secure program.
Additionally, when you create a wallet, MetaMask doesn’t have access to your information or secret code. There isn’t a centralized server somewhere with all the wallet information that can be hacked. Each wallet is a standalone system.
ConsenSys is the group behind the funding of the MetaMask team and is well-known in Ethereum community.
Overall, the MetaMask app seems fairly secure so far, however…
Problems with MetaMask Wallet Security
MetaMask is connected to the internet, like all hot wallets. This alone is enough reason to give pause.
Surprisingly, there is a lot of conflicting information online and I am no hacker or computer security expert. However, some of these other sites are fully crypto-tarded. Any site claiming MetaMask is as safe as a cold wallet since it has never been hacked is wrong.
Literally, one of the first things you hear from security experts is NEVER have your secret phrase exposed to the internet. That is the entire selling point of a cold wallet. The experts go so far as to say don’t take a picture of your phrase with your phone or save your phrase on your computer due to it being connected to the internet. (*scrolls through phone and deletes a few pictures….completely unrelated*)
MetaMask is a “hot” wallet, which means it is connected to the internet. Anything that connects to the internet opens you up to bad actors. That is internet 101.
Additionally, since it is a browser extension, it stores your private keys locally on the computer. Open you MetaMask and click on the little colorful circle on the top right corner (I don’t know what you call that, tie-dye button?). Then go to “settings” -> “security & privacy” and right there you have the option to reveal your secret code.
Multiple of the above malware are capable of infecting your computer, logging your password, or getting remote control and just opening up your MetaMask extension. (You do log out and disconnect from all sites right? You don’t just keep it connected 24/7 because it is convenient to have your MetaMask auto connect for you…I ughh…definitely do…yupppp)
What Are Some Actual Potential Hacks?
But what does it actually mean for those of us who still have an AOL email address? Basically, your computer & general internet browsing habits are a huge issue even if the MetaMask code itself is strong.
- MetaMask could be entirely unhacked, but that sketchy site you went to last night may have downloaded some malware on your computer. Now a bad actor has logged your keystrokes and knows your password. Or maybe they are able to take over your computer and reveal the secret phrase on your unlogged off Metamask.
- MetaMask phishing attacks are also a thing. You have multiple tabs open and one is compromised or you clicked a link in an email. Next time you use your MetaMask, you get a failed transaction and a pop-up asks you to put in your password. “No Big deal, transactions fail all the time”. This is a scam pop-up and some one has your password. Bad actors also use promoted sites/ads on Google searches and have fake look-alike sites to get you to download malware.
- Another type of phishing is when fake help desk asks for your secret phrase to help you. If you are in a discord or ever typed the word “MetaMask” into a tweet, you have seen this.
- Fake airdrops have also been becoming popular. The bad actor sends coins to your wallet and when you interact with them, it gives them access to your wallet. There are many legitimate airdrops in crypto, so this one gets a lot of people to fall for it.
This is just scratching the surface, but you get the point, there is a lot of vulnerabilities.
The point being, once a bad actor has access to your MetaMask, there is no stopping them from completely draining your account. The ease of use that comes with MetaMask is its highest risk…That is unless you are using a hardware/cold wallet (Ledger or Trezor) to sign all your MetaMask transactions.
MetaMask Only Uses a 12-Word Secret Phrase
MetaMask uses a 12-word secret phrase while many cold wallets use a 24-word. The way combinations work, this feels like a massive decrease in the amount of permutations needed to guess a phrase. Are 12 words enough?
Seed phrases use a standardized list of 2048 words known as BIP39. Choosing 12 of 2048 without replacement seems like a big number, but is it big enough?
From various sites, people have thrown out a 12-word secret phrase taking the computing power of the fastest machines combined anywhere from 500 to 2,000 years to solve. So fairly low chance.
So the consensus is 12 words is likely secure, for now. If quantum computing comes around, allegedly all wallets could extend their security to stay ahead of computing power. So again, allegedly no worries.
That all said, I would still prefer 24 words and not sure why MetaMask opted to go with 12.
So…Is MetaMask Safe?
Going to back to the original answer I gave – “depends on what the definition of ‘safe’ is”.
MetaMask’s code seems very secure, however everything else surrounding it seems significantly less so.
I would compare MetaMask to a floor safe that has yet to be hacked.
However, in this analogy, the safe is sitting in a home with wide open doors and windows (your computer). And you taped the combination to open the safe right to the front (your personal security practices). Also, you get drunk in seedy parts of town and tell everyone about your safe and invite them over to see it then immediately pass out.
I’d imagine none of us would find much comfort in knowing that all our crypto was stolen through malware picked up somewhere else rather than hacking of MetaMask’s code. End of the day, you still lost all your coins.
Therefore, even if MetaMask’s code is secure so far, I would still say MetaMask is not safe. If you are using MetaMask, or any hot wallet, as the only form of security around your crypto, it is only a matter of time before you lose your coins.
Is there a Better Alternative?
Yes. You should use a hardware wallet and connect it through MetaMask.
Currently MetaMask supports both Ledger and Trezor wallets. You can connect your wallet to MetaMask, and you will have all the functionality that you normally have with MetaMask to interact with smart contracts. However, you will need to approve any transaction with your hardware wallet. Additionally, your secret code is stored on the hardware wallet and off the computer.
Also, your entire wallet can’t be drained even if one transaction is hacked as you would need to approve and sign-off each transaction with your physical hardware device. Therefore, even if you make one poor choice you likely won’t lose all the coins in your wallet. However, if you give your secret phrase it still doesn’t matter as a bad actor will have access to all of your coins at that point anyway.
A hardware wallet linked to your MetaMask for transactions is the minimal amount of security you should settle for.
Did You Already Set-Up a MetaMask Without A Hardware Wallet?
So you set-up your MetaMask and put tokens directly on it?
Don’t worry, you can migrate your MetaMask wallet to a cold wallet. You can do this without having to make any transactions to a new wallet and realizing any taxable events.