Unmasking MetaMask

Freight Trust
4 min readFeb 16, 2021

--

Exploiting and profiting made easy

MetaMask is by far the worst service to use for trading. In this article we will go step by step to show you how not only are you being taken for a sucker, but how they place their commercial success above end user safety, and actually invade and expose you to potential risks unnecessarily.

Switch to a different wallet provider if you can. Nifty, Argent, etc are all great wallets. Don’t be abused by your wallet provider.

Disclaimer: I own no tokens in any of these protocols.

Get rekt fee’s

How much is too much of a fee?

“A service fee of 0.875% is automatically factored into each quote, which supports ongoing development to make MetaMask even better.”

If you’r using MetaMask Swap, you’r getting this on-top of the existing 0.3% Uniswap fee, for an effective fee of at least 1.175% per trade.

“The MetaSwap software currently aggregates information from Uniswap, AirSwap, 0x API, 1inch.exchange, Paraswap, Totle,” — @danfinlay https://link.medium.com/jFQc2UWQMdb

1Inch does what MetaSwap claims to do, except offers a better rate of settlement without a ludicrous 1.5 gas multiplier on transactions nor charges you a 1.175% fee per trade.

Just use 1Inch, no fees besides those that the underlying protocol charges.

Shady ‘Blacklisting’ practices

While mentioned in their official FAQ as an afterthought, metamask keeps an updated list of permanent banned websites, that you must dig through their repo in order to find. Here is a link of the extracted ‘white list’ / ‘black list’.

Closed source MetaSwap contract

Sure, consensys diligence may have done an audit, but without seeing the source code who can know how well their codebase was covered? An example is how the currently implemented fee adaptor is potentially implemented. To quote,

“Fee collection — FeeCommonAdapter and FeeWethAdapter are fee-collecting versions of the original CommonAdapter and WethAdapter. They support an extra parameter fee, indicating the quantity of the from asset to be sent to a fee wallet.” … “Token balances will not decrease without an explicit transfer. The contract makes the assumption that it can always compute the total received tokens by adding tokenBalance(token) and _totalWithdrawn[token] . This is not the case if the token balance can be manipulated externally.

If you have read the uniswap audit, you would know that tokens that charge a fee on transfer can have potential issues. Without knowing how MetaSwap currently mitigates this (possibly through Adapter, but that is after all, an assumption), it can potentially expose end users to lose of funds. In fact no mention of remediation of the expressed concerns from the Diligence audit can be found.

All your trades are stored in their backend, plaintext.

Needless to say, this opens up end users to targeted phishing attacks (since hackers would know their end user uses metamask). Here is an example of a wallet trade, no authentication needed to read:

https://api.metaswap.codefi.network/trades?destinationToken=0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48&sourceToken=0xdac17f958d2ee523a2206206994597c13d831ec7&sourceAmount=2786506048&slippage=2&timeout=10000&walletAddress=0x9715d5f59010f560c37d160d90272522f706ac74"

Gas Pricing has zero documentation or visibility into how its calculated

The endpoint is located here:

https://api.metaswap.codefi.network/gasPrices

These numbers are different than gasnow.org or https://ethgasstation.info/

Again, another feature of their offering that has zero documentation.

Decompiling into a potential source code base

The decompiled codebase looks remarkably similar to Totle’s contracts when you decompile them and examine them together. In fact if we look back at the audit and see when the second assessment was done (October 2020), we find that a feature was added for CHI (1Inch’s improved GasToken),

Support for the CHI gas token — This allows users to offset their gas costs by burning gas tokens. These tokens can come from the user or from tokens that are owned by the MetaSwap contract itself. source: audit

We can then see by looking at the Totle contracts that such a feature was added in between the first and second audits, the first audit occurring In either July or August (the PDF for the audit claims metaswap-audit-2020–07.pdf)

In fact, their FeeDistributor works similarly like Totles PartnerRegistry.

Intrusive Tracking and no-opt out updates:

See the following specific commits, these are true for both MetaMask extension and the MetaMask Beta Snap version:

metametrics option tracking (segment)

disabling console access: A particularly egregious and disingenuous FAQ leads users to believe that you can’t opt out of auto updates. In fact, you can. The link they provide goes to a Chrome Apps article, which Metamask is not categorized under. Chrome Apps was discontinued years ago. See this StackExchange post, or the github repo associated with this for mac os x users on how to disable auto updates.

The auto update feature is discussed in their FAQ

Tracking every broken website that users access through web3. I see no point in this feature, how does this help users?

Banned websites (referenced earlier in this article)

Most of all: They think you are an idiot

Add new license (#9282)

To ensure the longevity of the services we have been providing to the
world, we feel that it is time that we establish some defensibility for
our work from large commercial forks.
This license preserves free usage for any non-commercial use or any use
under 10k monthly active users.

Change of License: Posted August 20th.

First Consensys Diligence Audit: August 10th.

Reference GitHub Repo:

https://github.com/sambacha/metamask-decloak

Reference: MetaSwap

  • the main contract
  • 0x74de5d4FCbf63E00296fd95d33236B9794016631
"similar" contract logic / bytecodes:
0xdD660eB603178c51b2468A2D87de45b381CCce5c
0x1484c7B542c9aCE15374e5EdC7658BeB06338AAe
0x58b919f7421Be2980AC2eE08E06467c8A444Ab4C
0xd30752757252A1e056E45cabAfc435Ea8Be48399
0xF348f458A7d3a312be6f4d60667e77F0F0b73f0B
0x8E0278F9CC8162B22e43811Bc941c3Db5e41b4a3

--

--

Responses (2)