Let’s set this question once and for all. MetaMask, as the wallet, is not hackable. What, however, is hackable is the human factor – you.
Crime and malicious activity in the crypto industry are on the daily agenda. Phishing attacks, rug pulls, vampire attacks. The list of ways someone can compromise your assets is ever going.
Only in the first quarter of 2022, victims of crypto scams lost nearly $672 million, according to FTC.
And MetaMask, as one of the most popular crypto wallets out there, is regularly a target for phishing attacks.
We also received a phishing email the other day urging us to upgrade our wallet because it was supposedly switching to a new blockchain. You can read our report on that here.
We know it’s bold to claim that MetaMask is unhackable. But there is nothing to be hacked, as MetaMask doesn’t store your data anywhere online on remote storage, but everything is accessed locally. However, you, as the owner of that wallet, are hackable.
This article will give you all the fundamental information you need to keep your wallet secure and, without going way too technical, explain how MetaMask stores your secret keys, so it can’t be hacked.
Why MetaMask is not Hackable?
A lot of people confuse being hacked with being phished.
Phishing is a form of social engineering, and it’s very common and hardest to protect against.
In the simplest form, it can be a website or a link pretending to be a real service, you know, while it isn’t, and the actor behind it is just trying to get personal information out of you.
Any online service can be, in fact, hacked. Whether it is a crypto exchange or your favorite social media. Hacker’s intent? To get money, assets, personal information, passwords, etc., from as many people as possible.
However, there is nothing to be retrieved from hacking MetaMask. Let’s not confuse MetaMask being hacked with your device being hacked.
To understand this, we have to look at how MetaMask stores your data.
How MetaMask Stores your Data, Keys, and Seed Phrases
Both MetaMask’s extension and mobile app are open-source. If you have programming knowledge, you can check the whole codebase in their GitHub repository. The code is well-written and full of comments, so it’s not too difficult to follow.
The concept of storing this sensitive data is called Keyring. You can think of Keyring as a keyring you have your home keys on.
The keyring is implemented via KeyringController. It has three primary responsibilities:
* Initializing & using (signing with) groups of Ethereum accounts ("keyrings"). * Keeping track of local nicknames for those individual accounts. * Providing password-encryption persisting & restoring of secret information.
You can find this in the KeyringController README, accessed here.
Now, let’s take a look at how MetaMask’s keyring works.
The ring itself is the seed phrase, and every one of the individual keys (private keys) is your account. As you might know, there is a fundamental difference between the two.
While seed phrase backs up your whole wallet, whereas the private key is only paired with one public key (crypto address).
The keyring with the keys on it is then encrypted with an encryption key generated from your password.
And the whole bundle like this is stored locally in the extension.
If MetaMask can’t be Hacked, How do Users Lose their Assets?
Everyone wants crypto to stay decentralized. And with decentralization comes a big responsibility. In this case, you can’t count on some centralized power to take care of you.
So let’s say it one more time. MetaMask stores your data locally on your device, which means that the platform itself cannot be hacked. Or that the platform cannot leak any sensitive information since they do not hold any.
However, it is still possible for a hacker to gain access to your MetaMask wallet by obtaining your private key or seed phrase.
This can happen in many different ways. There are a few usual causes.
1. Your Computer has been Compromised with a Virus
If your computer got compromised, it automatically doesn’t mean that the hacker or malicious actor has access to your MetaMask wallet.
But if you store your private information on your computer as a plaintext or a note, they can potentially get access to your wallet.
Similarly, if someone got access to your computer, it doesn’t mean that they’ll be able to gain access to the wallet. However, they can steal that whole file with the extension and brute force the password to decrypt the data.
That’s why it is important to have a strong password even to your only locally accessible wallet.
2. You gave someone your Private key or Seed Phrase
It’s important to remember that no one will ever ask for your seed phrase.
When you receive a phishing email, it’ll likely ask you for your seed phrase to do something. To upgrade your wallet, to receive a free airdrop, to get access to something, etc.
But you can be 100% sure that none of this will happen. Even when the message claims that they will block your wallet when you do not do what they say.
MetaMask doesn’t need your seed phrase, and you also never shared your email address with them.
Generally speaking, even if you were using a centralized app, if they want, they can block or upgrade or do anything with your account with or without your cooperation.
3. You gave a dApp too much Permission, and it got Hacked
When using dApps like OpenSea or PancakeSwap, they’ll ask you for permission to interact with your wallet and its content. This is called allowance.
Some apps might ask just for permission to see your wallet’s balance. While others might want to spend or transfer your tokens.
That’s inevitable, especially with decentralized exchanges. After all, if you want to swap your tokens, you must allow the app to perform the swap.
If you grant a dApp full permission to interact with your MetaMask wallet, you essentially give that dApp control over your funds.
And while MetaMask itself cannot be hacked, dApps can. And if dApp is hacked, which has unlimited permissions, there is a potential risk that your MetaMask funds could be compromised.
That’s why it’s important to revoke all permissions from dApps you don’t intend to use in the near future.
This simple process can save all your funds. You can check our guide on how to revoke permissions on MetaMask for more information.
How to not get “Hacked” Using MetaMask
There are a few practices you should definitely include in your daily interaction with cryptocurrencies. The previous section should already give you a good overview of the usual causes of users losing their assets stored in wallets like MetaMask.
1. To prevent your computer from getting infected by malware, spyware, or any other malicious software, you should use good antivirus software. A good antivirus will block malicious websites for you and detect any potentially harmful apps.
2. You also shouldn’t underestimate the importance of a strong password, even for local purposes. Even though the MetaMask password is only used on your device and does not back up your account, it serves as a key to encrypt and decrypt your seed phrase and private keys.
3. The next way to lose your assets is by someone knowing your seed phrases or private keys. This information serves as full access keys to your funds. Never give it out to anyone, and choose a good storage space for them.
You can take inspiration from our guide that mentions the best seed phrase storages.
4. And finally, consider a purchase of a hardware wallet. Although non-custodial wallets like MetaMask are generally safe, it’s only as secure as your device. Even hardware wallets aren’t foolproof but are considered much safer in comparison to software wallets.
There are many different brands you can choose from. Whatever manufacturer you choose, make sure to purchase it directly from them.
The usual mainstream choices are Trezor, Ledger, or SecuX. To help you decide, we also got a complete comparison of all SecuX wallets.
We started this article with a bold claim that MetaMask cannot be hacked.
This, however, doesn’t mean, in any way, that your assets can’t be stolen from MetaMask. This article tried to draw a thick line between being hacked yourself, being phished, and MetaMask being hacked.
It’s arrogant to claim that it’s always MetaMask’s fault that your crypto got stolen. It’s like blaming the company that made your leather wallet for your wallet being stolen in a robbery.
Once something like this happens, you need to take some responsibility. If you refuse to learn, it’s going to happen again.
As a self-custodial wallet, it’s on your self to safely store all sensitive information. Make sure no one ever gets your seed phrase and private keys in their hand, and you’ll avoid the vast majority of dangers.
After all, 10 million users wouldn’t be using MetaMask, if it wasn’t trustworthy.