Metamask is one of the most recommended crypto wallet options for crypto beginners and those devoted to the Ethereum blockchain. However, popularity is not enough reason for choosing a wallet.
The most important question is: Is Metamask safe for storing your crypto assets and investments? Let’s find out.
What is Metamask?
As a web plugin, it allows users to bridge their browsers and the Ethereum blockchain seamlessly. This enables them to interact with Ethereum based decentralized applications (DAPPs)
When we say Metamask is a wallet, we don’t mean that in terms of the physical wallets you have where you store your money and other valuables.
Digital wallets, precisely those stored on a blockchain like Ethereum, cannot be moved. When you buy an Ethereum token (Ether), the blockchain updates its records to show that the assets are now assigned to your address on the blockchain.
When you send some Ether out, the blockchain reassigns the sent amount to the receiver’s address.
So what is stored in your Metamask wallet? Your private keys.
Your wallet’s private keys are the only proof to show that you own the assets. Anyone with your private keys can claim ownership of your assets and do as they please, including sending out your crypto assets.
Note that the private key is different from the public key. The public key is like your home address. People use it for direction when sending parcels to your home. The private key is the key to your home. Without it, no one can enter your home.
You can share your public key with anyone. But you should never reveal your private keys to anyone, regardless of who they claim to be.
How does Metamask fit into all these?
Metamask is a web application that sends transaction requests to the Ethereum blockchain. It uses your private keys to validate that the transaction requests are genuine.
Through Metamask, users can:
- build decentralized applications (dApps);
- create smart contracts (immutable and self-autonomous transaction guidelines);
- verify their decentralized identities online; and
- interact with DAPPs such as playing Ethereum based crypto games.
Metamask stores your private keys as a Secret Recovery Phrase. This is a string of 12 to 24 randomly generated words. You should write and store this phrase in a secure offline location.
Unfortunately, malicious actors can access your secret recovery phrase from your computer if you:
- install illegal software;
- visit malicious sites; or
- get physical control over your computer.
We are just going to say it out here:
If you have a large amount of crypto to store, get a hardware wallet.
How Metamask Works
Metamask is a web browser extension that allows users to manage their Ethereum private keys. It serves as an Ethereum wallet that allows users to interact with decentralized applications or dApps within the Ethereum ecosystem.
To allow Metamask to function correctly, you have to give it access to “read and change all your data on the websites you visit.” While this might seem harmful at first, it isn’t.
Metamask does not keep information on its users. So, it doesn’t store your email addresses, passwords, private keys, or even Secret Recovery Phrases.
This doesn’t change the webpage. It only allows the web page to interact with the blockchain.
Benefits/Importance of Metamask
Metamask is popular because of its excellent functionality and transparency. Here are some things that make Metamask important to the Ethereum blockchain and the crypto community.
- Open-source software: Anyone can access the Metamask code free as open-source software. This is because no one can claim sole ownership of the code. That makes Metamask very transparent.
- Easy-to-use interface: Metamask is a top recommendation for beginners as it spots a simple and intuitive interface. Even an absolute beginner can set up their account without much hassle.
- Hierarchical deterministic settings: The MetaMask wallet uses HD (hierarchical deterministic) settings to help users keep their accounts safe. This means that the wallet’s private keys are converted into a list of words called seed phrases. These seed phrases are easy to store and can be used to recover lost accounts.
- In-app coin purchasing: Metamask allows users to purchase Ether and ERC-20 directly from two popular exchanges: Coinbase and ShapeShift.
- Local key storage: MetaMask stores user keys in the user’s browser. That way, users can exercise more control over their public and private keys.
- Community: MetaMask is an integral part of the Ethereum community and attracts millions of users from around the globe. Many of these users also contribute to Metamask code and make recommendations to improve the platform.
- Customer service: Metamask has a customer support team to help users resolve any issue they may have. They also have an easy-to-understand blog and video demonstration on their home page.
Metamask came under intense scrutiny and criticism in the first quarter of 2022. This was because Metamask users in certain countries could not access the platform. This raises concern over whether Metamask is genuinely decentralized.
Theoretically, a decentralized platform does not have a central source of control. This means no one can arbitrarily limit the platform to specific regions. As such, they are restricting users from accessing the platform based on their geographic location runs contrary to the decentralization that Metamask claims to have.
However, Metamask has explained that they didn’t restrict their services. Instead, the service they depend on, Infura, geo-limited their services.
The blog post explained that they rely on Infura to access the blockchain. Infura withdrew its services from specific regions to comply with sanctions programs enacted by the U.S. government. As such, Metamask will not be available to users in those regions.
Infura came out to clarify the situation. In a series of tweets, the service provider explained that although the restrictions were intended, they were applied more broadly due to a technical error.
The situation raised a lot of concern as the crypto community prides itself on the idea of decentralized internet services. This means no government or business should be able to determine how people can access information and services from the internet. This has caused many to call for alternative platforms since Metamask cannot be trusted to act independently on centralized servers and corporate ownership.
However, with the rise of Web 3, many people are optimistic that government-influenced actions will be a thing of the past.
Is Metamask Chrome Extension safe?
As far as crypto wallets go, the Metamask Chrome extension is safe. However, malicious actors are constantly evolving their hacking tools and methods. Also, Metamask is open-source, so malicious actors can surf the code for vulnerabilities and exploit them.
Lastly, there are user-and security issues that are out of the control of Metamask engineers.
Here are a few tips to help secure your Metamask wallet. You can get more tips on the Metamask support page.
- Use a unique password for your Metamask account.
- Don’t share your password or recovery seed phrase with anyone under any circumstance.
- Use anti-malware software to protect your browser and computer from viruses and malicious attacks.
- Don’t use illegal sites, software, or services.
- Trust but verify. Ensure the website and popups you interact with are genuine. If you receive a notification, check to ensure the notification is real. Also, ensure you are surfing an authentic website before entering your addresses or passwords.
- Ensure your computer software and browser are up to date.
Is Metamask Safe To Connect With Ledger And Trezor?
It is safe to connect your Metamask with your hardware wallets, including Ledger and Trezor.
Given some of the security issues mentioned above, it is recommended that you only store small amounts of crypto in your online crypto wallet.
If you have a large amount of cryptocurrency, you should use a hardware wallet to make your holdings more secure.
Currently, Metamask supports online five types of hardware wallets:
- AirGap Vault,
- Ledger, and
The hardware wallet and its recovery seed phrase are saved offline in the hardware device.
So, Even if someone gets access to your Metamask wallet, they will still need to access your hardware wallet before they can withdraw your funds. This provides a second line of defence for your crypto assets.
As long as you don’t share the seed phrase of your Ledger or Trezor hardware wallet, no one can access your crypto holdings remotely. Even if they gain physical access to your hardware wallet, they will still need the PIN for that specific hardware device.
This guide teaches you how to securely connect a Trezor or Ledger hardware wallet.
Is It Safe To Store Crypto On Metamask?
Metamask is as safe as hot wallets can be. It is perhaps the most popular hot storage option for Ethereum enthusiasts.
If you’re considering storing small amounts of crypto for day-to-day transactions, you can use Metamask.
But if you have a large amount of crypto or are looking for long-term storage, consider getting a hardware wallet.
There are three drawbacks to using Metamask to store crypto. These are:
- It can only be used to store Ethereum cryptocurrencies.
- As an online wallet, the security of your Metamask wallet can be compromised by security vulnerabilities on your device or internet connection.
- Browsers can collect information on Metamask users, such as their wallet addresses and how often they use Metamask. This raises privacy and security concerns.
Is It Safe To Share Your Metamask Address?
Yes, it is safe to share your Metamask wallet address(es). No one can access the funds in your wallet with only your wallet’s public address. The only thing they can do with your wallet address is check your wallet balance and transaction history.
This is nothing to worry about, as it is a feature of most cryptocurrencies and not a bug. Remember that the blockchain is a publicly distributed transaction ledger. That means anyone can see any wallet’s transaction history and balance with only the wallet address.
Is Buying Ethereum On Metamask Safe?
It is safe to buy Ethereum on Metamask. Metamask is directly linked with two popular exchanges: Coinbase and ShapeShift.
However, if you are buying a large amount of ETH, you should keep the bulk of your purchase in a hardware wallet. Only use your Metamask wallet to store small amounts of your crypto.
Is Metamask Safe On Firefox?
Metamask is safe on Firefox. Just make sure you download the extension from the Metamask website directly. Don’t share your recovery seed phrase with anyone.
When installing Metamask on Firefox, you might notice that the listed publisher on the plugin is “danfinlay, kumavis.” This is nothing to worry about.
As long as you begin the process from https://metamask.io/, you are safe.
Is Transak Safe On Metamask?
Using Transak to purchase ETH on Metamask is safe. Transak is an online service that allows users to purchase crypto with fiat currency. It accepts card payments and bank transfers. It is available in over 100 countries and supports over 60 local currencies.
Transak uses a robust infrastructure that detects and stops fraud and illegal transactions on its platform. The only issue is that many users report delays in receiving tokens they purchase on the platform.
It takes between 1-3 working days for users who use the bank transfer method to receive their ETH. Those who choose the card payment option get their tokens in less than a minute. It can take up to 20 minutes for the ETH to pop up in your wallet in rare cases.
To use Transak, you complete a 5-step KYC verification that requires the following information:
- Your email address
- Personal data such as your name, phone number, and date of birth
- Social security number (SSN)
- Address/ ID proof
If this feels like you are giving away too much information, you can use Wyre to purchase Ether on Metamask.
Is Importing Private Keys In Metamask Safe?
Importing accounts into your Metamask wallet is safe. You can choose to import the private key into your primary Metamask wallet or use an alternative method.
However, note that the imported account is not covered in your Metamask wallet’s 12 words seed phrase. If you recover your Metamask account, the imported accounts will not automatically appear.
Therefore, you should securely store the private keys for all your accounts separately in offline locations.
There are many ways to import an account into your MetaMask account. You can import an account from one Metamask wallet into another Matemask wallet. Or you can also import an outside account to your MetaMask wallet.
Method 1: Importing A Private Key
To import a private key into Metamask, take the following steps.
- Copy the private keys of the account you want to import. For Metamask accounts, you can get the private keys from the “Account Details’ ‘ section.
- In your Metamask wallet, click the profile icon and select “Import Account.”
- Paste the private key in the assigned field.
- Congratulations, you have imported your account.
Method 2: Importing A JSON File
To import a JSON file into Metamask, take the following steps
- Get the JSON file created in the other wallet software.
- In your Metamask wallet, click the profile icon and select “Import Account,” and select the JSON file option.
- Import the JSON file from your computer and enter the JSON file password.
- Congratulations, you have imported your account.
You can remove the imported accounts anytime from your wallet at any time. This will permanently delete the selected address’s private key from your wallet’s local encrypted Vault.
Security issues with Metamask
Metamask is a fantastic tool for interacting with the Ethereum ecosystem and making transactions. However, it also has security issues that you should be aware of.
As an in-browser wallet, Metamask injects a web3 object into the web pages opened in your browser. This is to increase the web page functionality. Unfortunately, this also means that the website can detect that you are an Ethereum user.
On this surface, this looks harmless. After all, websites cannot make transactions on your holdings without your permission.
But that feature can help advertisers, especially those who want to target cryptocurrency holders. Also, in the hands of malicious actors, this is a dangerous weapon as it exposes:
- the fact that you own cryptocurrency; and
- value of your crypto holdings; anyone can scan your address to find how much is stored in that wallet.
This can make you a target for malicious actors and increase the volume of cryptocurrency ads you see on the internet.
Metamask is locked by default. Although websites can detect you have a crypto wallet, they cannot see your public address. This information is enough to make malicious actors listen for a wallet unlock. A malicious actor can also launch different attacks to get you to unlock your Metamask and steal your assets.
Here is a brief rundown of possible attacks that can happen to locked and unlocked Metamask accounts. We will start with unlocked accounts.
Targeting An Unlocked MetaMask
An unlocked Metamask wallet will display your active wallet address on every web page you open. If you switch between accounts, Metamask will also expose the address of the other account.
Anyone can look up your financial transaction history on the blockchain and tell how much you have in your wallet with your wallet address. That is how the blockchain works – it is a publicly available ledger of transactions.
Using your transaction history, an attacker can make attacks on your Metamask wallet through the following means:
- Claiming That Your Last Outgoing Transaction Failed
The attacker can generate a false notification telling you that your last outgoing transaction failed. The notification will have all the correct details (sourced from the blockchain).
It will then prompt you to retry the transaction. However, the transaction will be pointing to a different address – one that the attacker controls. Unsuspecting users will initiate the transaction without checking it twice.
- Asking You To Sign For Your Incoming Transaction
The attacker can create a notification with correct details from your last incoming transaction. Then tell you that you need to sign to accept the transaction.
Experienced users will know this is fake as incoming transactions don’t require any action on the receiver’s part. Unfortunately, novices might fall for this.
- Showing You A fake MetaMask Pop-Out
The attacker could also create a lookalike version of the MetaMask pop-out. All the details in the transaction will be correct except your most recent traditions, which it would report as failed. It’ll then prompt you to retry the transaction after maliciously changing the receiving address to one that they control.
Targeting A Locked MetaMask
A locked Metamask account does not reveal any of your Metamask addresses. However, it does let every webpage know that you have a Metamask account. Malicious actors can use different strategies to make you unlock your account so that they can steal your assets. These are:
- Making the User Unlock Their Wallet with a Phony Incoming Transaction Notification
A malicious actor can tell if you have a Metamask account by examining the webpage you’ve opened. However, a locked Metamask account will not reveal your public address.
To make you unlock your Metamask account (and reveal your public address), the attacker can send you a fake notification for an incoming transaction.
This can be enough for users to unlock their Metamask, exposing their wallet address. The attacker can assess the user’s wallet balance and transaction history.
- Phishing the User
An aggressive option would be to create a phoney Metamask pop out to get your password, seed phrase, or unencrypted private keys. Although the password is valuable, the ultimate goal is to get the seed phrase or private keys.
- The Timing Attack:
An alternative is for the attacker to lie in wait when they detect you have a Metamask account for you to unlock it. The moment you unlock it to make a transaction, they will wait for a moment before sending you a phone notification claiming the transaction failed. They will swap the receiver’s address for their address.
How can you protect yourself?
To ensure online phishers can’t access your wallet address, disable Metamask by default. You should only enable it when you want to make a transaction.
Attackers cannot tell if your Metamask is enabled or not, so they cannot run most attacks on you.
Conclusion: Is MetaMask Safe?
It is a safe option if you are careful with your Metamask wallet. However, you need to guard against attempts to steal your crypto.
Many phish attacks have become persuasive, and even expert users might fall for them. So, suppose you have a significant investment in crypto assets. In that case, you should consider getting a hardware wallet as a second line of defence.