Part II of III: How MetaMask Staking Really Works

DataFinnovation - ChainArgos - 4AC
ChainArgos
Published in
7 min readJul 15, 2024
“Ok, but where does the meat go?”

As a follow-up to our piece revealing How MetaMask Swap Really Works we now take a look at how MetaMask Staking really works.

Both MetaMask Swap and MetaMask Staking are cited in the same SEC complaint and again we are going to see how Consensys Software’s claims that MetaMask Staking is just a non-custodial software interface is false.

Each of the smart contracts we are going to examine work slightly differently, but in all cases reviewed, control over the process, tokens and fees flows through MetaMask-team-controlled addresses or contracts.

While the exact nature and instruments of control come in various flavors, from the perspective of a non-technical reader, they essentially operate in the same way.

The MetaMask Contracts

We can see the addresses of a range of MetaMask contracts on Github.

One of those addresses is the Swaps contract we previously discussed.

Here we will look at 5 others:

  1. Validator Staking at 0xDc71aFFC862fceB6aD32BE58E098423A7727bEbd
  2. Pooled Staking at 0x4FEF9D741011476750A243aC70b9789a63dd47Df
  3. 3rd Party Staking at 0x1f6692E78dDE07FF8da75769B6d7c716215bC7D0
  4. Pooled Staking V1 at 0xc7bE520a13dC023A1b34C03F4Abdab8A43653F7B
  5. Meta Bridge at 0x0439e60F02a8900a951603950d8D4527f400C3f1

The bridge is not strictly speaking part of Metamask Staking but we are already here and it has the same issues and implications as the other contracts and so for completeness, is included.

Validator Staking

Metmask Staking is built atop kiln.fi. and there is even an announcement to that effect.

MetaMask Staking inherits a lot of functionality from kiln, including the following functions:

  • addOperator / activateOperator / deactivateOperator
  • addValidators / removeValidators
  • setDepositsStopped — this can pause and unpause deposits
  • setGlobalFee
  • setOperatorAddress
  • setOperatorFee
  • setOperatorLimit
  • setTreasury
  • setWithdrawer

These functions can only be called by a designated admin address and generally the names of each of these functions provide a good description of the role they serve.

Whoever controls the admin address can do pretty much whatever they want with this specific flavor of staking.

0x5Bc5ec5130f66f13d5C21ac6811A7e624ED3C7c6 is the admin address. That is a GnosisSafe and one of the owners of that Safe— 0x24fcb — bridged MATIC tokens to Polygon for an address we previously identified as the MetaMask team:

0x24fcb is an owner of the admin GnosisSafe. 0x74d is the MetaMask Swaps spender contract.

That, alongside the address being the admin-owner of this staking contract, strongly suggests the MetaMask team exercises a high degree of control over this contract and it is not merely some immutable protocol.

And we have more.

This staking contract has a getOperator function.

The getOperator here works in much the same way as the adapters we discussed previously.

If we use the getOperator function we get back:

  • Operator: 0xf2F7C2CeF6dA4EfE800746762132dcfF2C56a2BC
  • Fee Recipient: 0x5Bc5ec5130f66f13d5C21ac6811A7e624ED3C7c6

The Operator is an upgradeable proxy contract — indicating none of this is immutable at all.

And the Fee Recipient is widely tagged as “Consensys: Oracle DAO Rewards.”

As we will see this is the same fee recipient for other flavors of staking and the Oracle DAO has a number of separate issues.

All those administrative and upgrade functions make clear this is a system operated by the Metmask team rather than some immutable software interface.

Pooled Staking

This is a different style of staking announced here.

The contract is an EIP-1967 upgradeable proxy contract, indicating nothing about it is immutable.

And if the operation of pooled staking wasn’t centralized enough, it currently has the following functions:

  • updateBlocklist: the ability to blacklist addresses
  • ejectUser
  • setBlocklistManager
  • setFeeRecipient
  • setKeysManager

These functions generally do what they say they do on the label, indicating the contract owner has extensive control beyond just the upgrade functions.

And the fee recipient is shared as that same “Consensys: Oracle DAO Rewards” address above.

All these functions come from StakeWise.

MetaMask Swaps also uses StakeWise.

As with the validator case, this central control is inherited from the software package Metmask chose to employ.

So let’s take a look at what happens with a sample transaction.

In this transaction 0xcb35cE89907Ba266480F9bef1EAc72aD6291f337 stakes 0.02 ETH.

Here is the code execution:

Notice how the code checks the block list before doing anything, and then look at the state changes from the transaction:

This is pooled staking.

The end-user’s ETH go from their address to the contract at 0x4FEF.

The MetMask team-controlled upgradeable proxy contract takes full control over the ETH before they get staked — that is far more financial intermediary activity than just “writing code.”

Other Flavors of MetaMask Staking

3rd Party

This smart contract is closed source, that is, well, whatever it is it’s not open-source software.

And, as with last time, this smart contract is heavily used.

We can see it generating stETH here.

And a wide range of EOAs calling the function can be seen here.

Presumably those are MetaMask Staking users.

Pooled V1

This was an earlier version of Pooled Staking that was only in use from December 2022 through February 2023.

The contract at 0xc7bE520a13dC023A1b34C03F4Abdab8A43653F7B has an owner.

The owner is 0x27c5706cC6DEED9E0Cb86f1238Cc2FB5C7eb0Bb4 and this address can pause and “unpause” this pooled staking service and withdraw accrued fees.

This earlier and short-lived version of MetMask Staking had less team control than the one in widespread use.

Live and learn, or not, as the case may be.

Oracle DAO

MetaMask Swap is built atop services that use Rocket Pool for staking at least sometimes.

The Oracle DAO is an invite-only governance group for Rocket Pool.

Look at their own documentation:

The Oracle DAO is the group of special Rocket Pool nodes that are responsible for the administrative duties required by the protocol that cannot be achieved by Smart Contracts due to technical limitations. They are essentially the same as normal Rocket Pool nodes; they use the same tools, can be configured with the same methods, and can even run regular minipools, but they come with supplemental tasks that they perform.

and later:

Unlike normal Rocket Pool nodes, which can be created and run permissionlessly by anyone, membership in the Oracle DAO is invite only by existing members. If you have recently been invited to join the Oracle DAO, this section of the guide will help you understand your role, get your node set up, and ensure that it stays healthy.

What is being described by Oracle DAO itself, is clearly a permissioned, centralized system.

We will have more to say about that separately, but it is quite clear MetaMask Staking is a lot more than just an open source software interface.

Fees

The fees flow into 0x5Bc5ec5130f66f13d5C21ac6811A7e624ED3C7c6.

This address trades the fees for USDC and deposits them to a centralized service.

This fees address is itself a 3-of-5 multisig wallet.

Bridge

The bridge contract at 0x0439e60F02a8900a951603950d8D4527f400C3f1 has both an owner and a spender and is perhaps most similar to Metmask Swap.

Except here the spender is closed source software.

The spender is 0x9A47f3289794E9bbc6a3C571f6D96Ad4E7bAED16.

And here, yet again, is a sample transaction:

This is essentially the same workflow as Metamask Swap.

Again this is financial intermediary activity and not merely “writing code.”

Claims

In Consensys v Gensler Consensys claims:

But MetaMask is simply an interface — like a web browser — that allows digital asset holders to seamlessly interact with the Ethereum network, including all other users and applications participating on the network. MetaMask neither holds customers’ digital assets nor carries out any transaction functions.

The Blockchain Association similarly characterizes the targets of the investigation as “software developers and entrepreneurs.”

And Consensys describes the SEC’s effort to Blockworks as:

The lawsuit didn’t come as a surprise to Consensys, which said that it “fully expected” the SEC to “follow through on its threat to claim our MetaMask software interface must register as a securities broker.”…We are confident in our position that the SEC has not been granted authority to regulate software interfaces like MetaMask.

It is surely true MetaMask is software.

But then again so is Citibank’s website.

What matters is what the software does, who controls it, and how they can control it.

We have documented here that MetaMask Staking is:

  1. Not open-source. Partially closed source is not open-source, yeah.
  2. Centralized, with owner and admin functions for all the critical mappings and “air-traffic-control” work.
  3. In large part upgradeable.

MetaMask Staking is not just some transparent, immutable software interface.

MetaMask Swap is not some passive blob of code users run while retaining control over their own assets — that much is clear.

The SEC’s case should hinge entirely on whether or not staking is a securities-related issue.

Even if these activities in the SEC complaint are not securities-related they might still be money-transmitter-related.

Because if ETH and ETH staking are not securities-related activities they’ll still be transfer-of-value activities.

Does this sort of centralized custodial control count as a Money Services Business under US law?

That is surely a good question, and one that ought to be decided by a jury.

--

--