Trader’s Lesson: Why You Shouldn’t Keep Large Amounts of Crypto in MetaMask
While most of the crypto world was enjoying new all-time highs this past weekend, popular crypto trader under the Twitter pseudonym notsofast went through a personal crypto nightmare as his Metamask hot wallet was compromised in a security breach. Even though the trader reacted quickly and spent twelve hours dealing with the attack, the thieves still managed to snatch more than ETH 46 (USD 74,000), USD 34,000 worth of altcoins, and even his notsofast.eth domain. (Updated on February 28, 05:41 UTC, with a comment from MetaMask.)
Well, shit. My metamask was compromised. They even got my notsofast.eth domain. Managed to rescue some stuff, busy securing things in general.— notsofast (@notsofast) February 21, 2021
They're holding everything they got in this account like a trophy☹️https://t.co/x4xmaJd8UX
The trader tweeted that he is not sure how the hack happened but a potential attack vector was MetaMask’s feature of storing the wallet’s private key in the browser’s cache, which is accessible to any open tab.
"While MetaMask does provide an API to every tab of your browser, its primary service is in keeping control of your accounts away from those sites, and ensuring they can only request transactions from the user," MetaMask stressed.
The trader refused any donations and compensation funds from the community and urged everyone to get a password manager and a hardware wallet.
The community can:— notsofast (@notsofast) February 21, 2021
Learn from my mistake! Get good at opsec with this stuff. Don't get lazy like I did here.
Anything you were thinking of giving me, spend on a hardware wallet or password manager for yourself or a loved one. https://t.co/IsSaYZLmz3
He also stressed the importance of account segregation, saying that traders should create new browser profiles for each WEB 3.0 wallet type they use, and run nothing else in those accounts. Ideally, one should use a separate computer or device that is used for crypto transactions and nothing else, he said in a tweet.
Developer and consultant Udi Wertheimer also weighed in, warning that “if you use the Metamask browser extension, it is probably the weakest link in your security plan.’’ He added:
"If you MUST use it, buy a Chromebook and a hardware wallet and use them STRICTLY for Metamask."
According to him, while a Chromebook limits what can be installed on one’s computer, it still allows installation for potentially malicious browser plugins, so one must beware of installing them.
Wertheimer explained that even if you use a hardware wallet for interacting with Metamask, it is still a high-risk operation because of the way it handles approvals. As such, the best way to avoid issues in the future is to limit the amount of funds kept in hot wallets and compartmentalize accounts to limit the damage from exploits. He added:
"For most people, it’s probably safer to use a mobile phone ETH wallet instead of a clean laptop + hardware wallet combo. This is far from perfect too but it’s not as ridiculously weak as the Metamask browser extension is."
- Metamask Amasses 1M Active Monthly Users & Enters Altcoin Swaping Market
- Security in 2021: More Threats Against DeFi and Individual Users
- Attacked Blockfolio To Spend Up To USD 10M on Fixing Damage
- Solana Founder On Critical DeFi Challenges and How To Fix Them
- Ledger Promises Funds Insurance As Client Data Leak Expands
- Teaching True Story: Trader Robbed of Nearly USD Half Million in Bitcoin