MetaMask Sets The Bar for Wallet Security

tl;dr MetaMask is rad, check out the report from our recent security audit.

It isn’t often that I’m particularly impressed by software. Writing lots of software will do that to you. It’s interesting to me that over the course of my last decade of software engineering, the strength of this sentiment has maintained a consistent linear increase. I mean, there is a lot of software out there and frankly, most of it sucks.

And this isn’t a reflection of the skill of the authors of software, necessarily, but rather a reflection of how most engineers think. It seems to me that most people simply don’t possess the type of adversarial mindset that is a prerequisite for building secure systems (and I imagine they lead happier lives because of this). Even those of us who have a sort of natural inclination towards designing around “Murphy’s Law” gain the trust of others only to make catastrophic mistakes.

That’s why when you come across a project, expecting to discover the usual class of money-draining, key-stealing, and privacy-breaking issues that plagues cryptocurrency wallets, but instead find a well-documented, highly-modular, and defensively-designed project like MetaMask, it’s worth taking a moment to give credit where credit is due.

In my opinion, one of the things that makes MetaMask so important is how they have broken apart tons of the code into generic packages that can be used by the wider free software community. While this was actually a little concerning during the audit due the difficulty of tracing some pretty critical code paths through sometimes several dependencies, what we have now is not only a security audit that benefits MetaMask and its users, but one that benefits developers and users around the world using these generic packages in their own projects.

While we didn’t identify any critical vulnerabilities, we did find many areas of improvement to further harden the project. This feedback was received very well and the MetaMask team very promptly incorporated our feedback which we have verified. You can read the complete final report here for all the details. It’s pleasing to see projects that protect the funds of thousands of users place the kind of importance on security that MetaMask has. I know that the next time someone asks me to recommend a secure Ethereum wallet, MetaMask will be one of my recommendations.