Exploiting and profiting made easy
MetaMask is by far the worst service to use for trading. In this article we will go step by step to show you how not only are you being taken for a sucker, but how they place their commercial success above end user safety, and actually invade and expose you to potential risks unnecessarily.
Switch to a different wallet provider if you can. Nifty, Argent, etc are all great wallets. Don’t be abused by your wallet provider.
Disclaimer: I own no tokens in any of these protocols.
Get rekt fee’s
How much is too much of a fee?
If you’r using MetaMask Swap, you’r getting this on-top of the existing 0.3% Uniswap fee, for an effective fee of at least 1.175% per trade.
“The MetaSwap software currently aggregates information from Uniswap, AirSwap, 0x API, 1inch.exchange, Paraswap, Totle,” — @danfinlay https://link.medium.com/jFQc2UWQMdb
1Inch does what MetaSwap claims to do, except offers a better rate of settlement without a ludicrous 1.5 gas multiplier on transactions nor charges you a 1.175% fee per trade.
Just use 1Inch, no fees besides those that the underlying protocol charges.
Shady ‘Blacklisting’ practices
While mentioned in their official FAQ as an afterthought, metamask keeps an updated list of permanent banned websites, that you must dig through their repo in order to find. Here is a link of the extracted ‘white list’ / ‘black list’.
Closed source MetaSwap contract
Sure, consensys diligence may have done an audit, but without seeing the source code who can know how well their codebase was covered? An example is how the currently implemented
fee adaptor is potentially implemented. To quote,
“Fee collection —
FeeWethAdapter are fee-collecting versions of the original
WethAdapter. They support an extra parameter
fee, indicating the quantity of the from asset to be sent to a fee wallet.” … “Token balances will not decrease without an explicit transfer. The contract makes the assumption that it can always compute the total received tokens by adding tokenBalance(token) and _totalWithdrawn[token] . This is not the case if the token balance can be manipulated externally.
If you have read the uniswap audit, you would know that tokens that charge a fee on transfer can have potential issues. Without knowing how MetaSwap currently mitigates this (possibly through Adapter, but that is after all, an assumption), it can potentially expose end users to lose of funds. In fact no mention of remediation of the expressed concerns from the Diligence audit can be found.
All your trades are stored in their backend, plaintext.
Needless to say, this opens up end users to targeted phishing attacks (since hackers would know their end user uses metamask). Here is an example of a wallet trade, no authentication needed to read:
Gas Pricing has zero documentation or visibility into how its calculated
The endpoint is located here:
Again, another feature of their offering that has zero documentation.
Decompiling into a potential source code base
The decompiled codebase looks remarkably similar to Totle’s contracts when you decompile them and examine them together. In fact if we look back at the audit and see when the second assessment was done (October 2020), we find that a feature was added for CHI (1Inch’s improved GasToken),
Support for the CHI gas token — This allows users to offset their gas costs by burning gas tokens. These tokens can come from the user or from tokens that are owned by the
MetaSwapcontract itself. source: audit
We can then see by looking at the Totle contracts that such a feature was added in between the first and second audits, the first audit occurring In either July or August (the PDF for the audit claims
In fact, their
FeeDistributor works similarly like Totles
Intrusive Tracking and no-opt out updates:
See the following specific commits, these are true for both MetaMask extension and the MetaMask Beta Snap version:
disabling console access: A particularly egregious and disingenuous FAQ leads users to believe that you can’t opt out of auto updates. In fact, you can. The link they provide goes to a Chrome Apps article, which Metamask is not categorized under. Chrome Apps was discontinued years ago. See this StackExchange post, or the github repo associated with this for mac os x users on how to disable auto updates.
Tracking every broken website that users access through web3. I see no point in this feature, how does this help users?
Most of all: They think you are an idiot
Add new license (#9282) · MetaMask/metamask-extension@e4d4c9c
Browse files Add new license (#9282) To ensure the longevity of the services we have been providing to the world, we…
Add new license (#9282)
To ensure the longevity of the services we have been providing to the
world, we feel that it is time that we establish some defensibility for
our work from large commercial forks.This license preserves free usage for any non-commercial use or any use
under 10k monthly active users.
Change of License: Posted August 20th.
First Consensys Diligence Audit: August 10th.
Reference GitHub Repo:
- the main contract
"similar" contract logic / bytecodes: