Seed Phrase Issue Bounty Awarded

As we announced in a previous blog post, a small fraction of users reported that the seed phrases they backed up from MetaMask did not restore the accounts they were given. Users should back up their seed phrases immediately, even if they think they already did, by following this guide.

In response to user reports, we began internal diligence on the problem, ultimately deciding to issue a public bug bounty with a gradually increasing reward until a possible cause and fix for the issue were found. We were grateful to see extensive community participation in the bounty. In particular, an important observation by Chris Cassano led to a full reproduction example by Mike Seese.

Although the unique issue that caused the seed phrase problem appears to be uncommon, we are offering a continuous bounty for similar bugs in the future. We want to always encourage community scrutiny of our code.

The Bug

Prior to the bug fix, MetaMask’s Create Vault function had the ability to create multiple vaults. Under normal processing conditions, creation occurred quickly and the seed phrase displayed was correlated to the most recently created vault. However, when abnormally slow processing power was present, if a user triggered Create Vault multiple times, then viewed the seed phrase, it was possible, though unlikely, that the user was shown a seed phrase from one of their prior Create Vault attempts. This apparently occurred because the old seed phrase was displayed before resolution of the more recent attempts to create a vault were resolved due to the processing power issue.

To fix this bug, we’re pushing an update to MetaMask to add a lock to the Create Vault process designed for better processing order even under abnormally low processing power conditions. The fix ensures at multiple layers that only a single seed phrase will be created for a first time user.

The Award

Since the bounty was for reproduction steps leading to a fix, the full bounty award will be going to Mike Seese. Congratulations Mike, and thanks for your help!

Because Chris Cassano made an important observation, we’re also going to give him a smaller thank-you prize.

Conclusion

For our users, if you haven’t yet, please immediately back up your seed phrase again, even if you’ve already done so. We are releasing a fix for this issue today, so new users should not be vulnerable to this particular problem.

MetaMask is a free open source software project under the MIT Sharealike License, but we care deeply about our users and our community and are never pleased to see bugs like this arise. We hope that you have found our response to these issues appropriate, but as always, please be cautious with your assets and do not use MetaMask, which remains experimental open source software, to store or transfer more assets than you are willing to lose.

We wish you all the best luck in the decentralized web. Please be careful, and always err on the side of backing up your accounts too much.