Unmasking MetaMask

Get rekt fee’s

How much is too much of a fee?

Shady ‘Blacklisting’ practices

While mentioned in their official FAQ as an afterthought, metamask keeps an updated list of permanent banned websites, that you must dig through their repo in order to find. Here is a link of the extracted ‘white list’ / ‘black list’.

Closed source MetaSwap contract

Sure, consensys diligence may have done an audit, but without seeing the source code who can know how well their codebase was covered? An example is how the currently implemented fee adaptor is potentially implemented. To quote,

All your trades are stored in their backend, plaintext.

Needless to say, this opens up end users to targeted phishing attacks (since hackers would know their end user uses metamask). Here is an example of a wallet trade, no authentication needed to read:

Gas Pricing has zero documentation or visibility into how its calculated

The endpoint is located here:

Decompiling into a potential source code base

The decompiled codebase looks remarkably similar to Totle’s contracts when you decompile them and examine them together. In fact if we look back at the audit and see when the second assessment was done (October 2020), we find that a feature was added for CHI (1Inch’s improved GasToken),

Intrusive Tracking and no-opt out updates:

See the following specific commits, these are true for both MetaMask extension and the MetaMask Beta Snap version:

Most of all: They think you are an idiot

To ensure the longevity of the services we have been providing to the
world, we feel that it is time that we establish some defensibility for
our work from large commercial forks.
This license preserves free usage for any non-commercial use or any use
under 10k monthly active users.

Reference GitHub Repo:

https://github.com/sambacha/metamask-decloak

Reference: MetaSwap

  • the main contract
  • 0x74de5d4FCbf63E00296fd95d33236B9794016631
"similar" contract logic / bytecodes:
0xdD660eB603178c51b2468A2D87de45b381CCce5c
0x1484c7B542c9aCE15374e5EdC7658BeB06338AAe
0x58b919f7421Be2980AC2eE08E06467c8A444Ab4C
0xd30752757252A1e056E45cabAfc435Ea8Be48399
0xF348f458A7d3a312be6f4d60667e77F0F0b73f0B
0x8E0278F9CC8162B22e43811Bc941c3Db5e41b4a3

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store