News
    Home   >     Original    >     Main body

    Trader’s Lesson: Why You Shouldn’t Keep Large Amounts of Crypto in MetaMask

    Abstract:While most of the crypto world was enjoying new all-time highs this past weekend, popular crypto trader under the Twitter pseudonym notsofast went through a personal crypto nightmare as his Metamask hot wallet was compromised in a security breach. Even though the trader reacted quickly and spent twelve hours dealing with the attack, the thieves still managed to snatch more than ETH 46 (USD 74,000), USD 34,000 worth of altcoins, and even his notsofast.eth domain.
    3c23340e78.png

      While most of the crypto world was enjoying new all-time highs this past weekend, popular crypto trader under the Twitter pseudonym notsofast went through a personal crypto nightmare as his Metamask hot wallet was compromised in a security breach. Even though the trader reacted quickly and spent twelve hours dealing with the attack, the thieves still managed to snatch more than ETH 46 (USD 74,000), USD 34,000 worth of altcoins, and even his notsofast.eth domain.

    微信图片_20210223105046.png

      The trader tweeted that he is not sure how the hack happened but a potential attack vector was MetaMask‘s feature of storing the wallet’s private key in the browsers cache, which is accessible to any open tab.

      The trader refused any donations and compensation funds from the community and urged everyone to get a password manager and a hardware wallet.

    微信图片_20210223105051.png

      He also stressed the importance of account segregation, saying that traders should create new browser profiles for each WEB 3.0 wallet type they use, and run nothing else in those accounts. Ideally, one should use a separate computer or device that is used for crypto transactions and nothing else, he said in a tweet.

      Developer and consultant Udi Wertheimer also weighed in, warning that if you use the Metamask browser extension, it is probably the weakest link in your security plan.‘’ He added:

      “If you MUST use it, buy a Chromebook and a hardware wallet and use them STRICTLY for Metamask.”

      According to him, while a Chromebook limits what can be installed on ones computer, it still allows installation for potentially malicious browser plugins, so one must beware of installing them.

      Wertheimer explained that even if you use a hardware wallet for interacting with Metamask, it is still a high-risk operation because of the way it handles approvals. As such, the best way to avoid issues in the future is to limit the amount of funds kept in hot wallets and compartmentalize accounts to limit the damage from exploits. He added:

       “For most people, it‘s probably safer to use a mobile phone ETH wallet instead of a clean laptop + hardware wallet combo. This is far from perfect too but it’s not as ridiculously weak as the Metamask browser extension is.”