Dear Readerš
āNothing is as devastating as losing your life savings to a hacker, let alone if it happens on Metamask, a non custodial wallet, which essentially means if your bag is gone, itās gone.
Hardly ever goes a day without a plebās Metamask getting hacked. The wallet gets cleaned out and honestly this is enough to make you sick every time you think about it. I mean, watching your coins leave your wallet on Etherscan and see them disappear is just so much fun. Are you kidding me!
On a serious note though, this has happened to so many people over the last few months. Youād be forgiven for thinking the wallet has a major vulnerability that Metamask devs are not owning up to.
If Metamask is like those vintage leather wallets that leak coins, it would be best to just toss it in the garbage and forget about it. Problem solved!
Not so fast, bruh! This is 2021.
There is a huge craze around DeFi and NFTs and Metamask is a must have if you want in.
This newsletter is free!šÆ
ā³The Elusive Malware
Thus far, thereās no conclusive answer why there are so many hacking incidents on Metamask.
So, itās rather disheartening whenever a troll yells, itās always a user error, you donāt just get āhackedā. Mind you, this is directed to someone whoās devastated because they woke up to get their MetaMask cleaned out.
Though such a crude response makes sense in a clear phishing attack incident, it fails to explain other incidents where the victims themselves demonstrated geek level computer skills and still got hacked.
I mean, if youāre a gamer with a computer science degree and created a few meme coins for fun, youād be dumbfounded if a hacker took off with your bag, and also shocked if you are unable to explain what happened no matter how hard you try to retrace your steps.
What is clear though, hackers orchestrate most of the top level breaches through Metamaskās browser extension. Particularly, the Chrome Browser extension seems to be more impacted.
The mobile app, available on iOS and Android, has proved to be more resilient, save for phishing attacks which can be hard to detect.
Call it what you want if someoneās funds got stolen because they downloaded the app from unknown sources on the internet. But it will blow your mind when you get the app from Play Store and still get phished.
The thing is, you may be on Apple Store or Play Store and still end up with a scam app that appears totally legit.
Even on such highly curated mobile application stores, scam apps make their way in and trick people. Uploading a fake Metamask wallet to a mobile store is a simple but effective way to steal funds.
ā”The easiest way to download the legit mobile app is to get it via metamask.io/download.html. This is the official download link that then takes you to the legit app on Google Play Store.
As earlier mentioned, the extension is where things get freaking scary. The lengths hackers go to just to steal could make you quit the crypto world.
ā³Computer is Compromised
On the web, the common mistakes that most people make is clicking unnecessary links related to airdrops and interacting with dodgy sites.
But there are other scenarios. For example you could get rootkited. Many rootkits will enter your PC by piggybacking on a software you trust. The problem is, If you get rootkited, it wonāt matter what malware or phising protection you have.
In fact, having an antivirus will be your biggest drawback in this scenario because a rootkit, worm or keylogger will go undetected and youāll be oblivious of the lurking danger.
To give you an example, this Redditor by the name archeactive says that he once had an issue with his PC and some type of worm continued causing issues, so he changed hardware and ram. When that didnāt work, he formatted the entire thing, even changed the router (cause some malicious viruses can integrate there too and spread) and in the end, the worm was installed to the wireless mouseās usb.
It sounds insane and rare, but it can happen. People would look anywhere but their mouse-usb for a virus.
So, if you fall victim to something equally rare and advanced, it would only be a matter of time before your Metamask is wiped clean.
I mean what would you do if you woke up only to find your savings had vanished. As for me, Iād rather not wake up.
ā³Decentralized Hot Wallet
Metamask is a hot wallet because it is essentially connected to the internet. While the wallet makes it easy to execute trades faster, being connected to the internet makes it more vulnerable to attacks than cold wallets.
Just so weāre clear, Metamask, like all crypto wallets, doesnāt store cryptocurrencies. Your assets live in the blockchain. Wallets only hold private keys safely. This information allows you to send or receive crypto from other users.
Metamask comes both as a browser extension and a mobile app and its decentralized nature makes it the go-to wallet for anyone interacting with Ethereum smart contracts. Well, Metamask also comes in handy with other networks like the Binance Smart Chain and Polygon, just that Ethereum is more popular in Decentralized Finance.
Non-custodial wallets such as Metamask differ from exchange wallets because they provide the user with a Secret Recovery Phrase or the seed phrase, which provides proof of ownership.
Two factor authentication or 2FA which is popular with exchanges does not work for MetaMask because itās decentralized. In other words, the Secret Recovery Phrase, which controls your assets, is not stored in a centralized server.
MetaMask stores your seed phrase encrypted with your password. This is a slight edge in that an attacker with full access to your computer would also need to record your password to have the wallet unlocked so as to be able to move your funds.
ā³I Was Hacked
āTo begin with, Metamask is not as secure as you may think. Itās a hot wallet afterall.
Sometimes, people claim theyāve been hacked, no idea how, but it could be they were either socially manipulated into approving a transaction to a scammer.
āAnother possible mistake is leaking the seed phrase online either by taking a picture or placing it in front of a camera of a compromised computer.
āItās also likely that some users type a weak password to secure Metamask, an easy pass for a hacker because the walletās private key is encrypted with the password.
ā ļøOr it could be this:
Disclaimer: This is just a tentative opinion, zero proof, until a better explanation comes about.
Your seed phrase is stored in your browserās data folder. I believe thereās some sort of malware thatās harvesting the seed phrase from the browser data folder, and is also running a keylogger to harvest the password. Pretty much every one of these unfortunate victims had been using the Chrome extension, so I believe thatās where the issue is. This is happening way too often lately, and more with Metamask than any other it seems. ~ Bggnslngr
ā³Parting Shot
āItās pretty obvious that hot wallets like Metamask are in some way insecure. This is because when your machine is on the internet, it could be accessed remotely, and keys could be stolen.
To mitigate the risk, just store only what you can afford to lose on Metamask.
Metamask itself recommends that you get a hardware wallet once you have enough funds which you could fret losing.
After transacting with MetaMask, itās wise to transfer that value back to a cold wallet in order to eliminate the risk involved.
At this stage, it also sounds like a great idea to use a separate computer for crypto trading as it seems hackers mainly target people who use their computer for everything.
Setting aside a separate laptop for crypto will save you a lot of trouble and you have to ensure it stays that way. Nothing should be installed on the web browser of that pc other than Metamask. You also have to do due diligence on any contracts you sign and interact with. Especially, if these contracts are related to a large amount of your funds.
Additionally, the permission-less nature of blockchains means anyone can upload contracts.
With this in mind, itās imperative to approach the blockchain world like the real world. Just like the real world, you have to make sure the agreement or the smart contract is not a bad deal or an outright scam.
Stay safe out there.
Disclaimer
This post is for informational purposes only and should not be taken as financial advice. Any purchase of financial products should be done at your own discretion.
Credits
pyh00ma, Bbtorz65, archeactive, excelance, Sarah Holt, hober-mallow-1337, Bggnslngr.