Audits Hackathons Blockgeeks About

How to Secure your MetaMask


There has been a significant increase of MetaMask hacks where users receive ETH and then it is forwarded to another account, not in possession of that user. Please gather and create an original guide to make sure that ones MetaMask is secure.


Metamask is an Ethereum wallet that is used as a Chrome extension. Through this, web pages are able to give a user access to interact with the Ethereum network through the web3 library. With this library, it opens up possibilities for websites and applications that will easily allow the end user to sign smart contracts, send ether among other things.

But this comes with a catch. As a Chrome extension, the Metamask wallet lacks proper security, and attackers can easily take control of your account, either through phishing attacks or other malware. If the Metamask extension is enabled, all the tabs that you have open will be able to know that you have a Metamask wallet (even when it is locked). Attackers can then take steps to seize your account, and your password/private keys and your funds can end up compromised.

So how do we prevent this?

  1. First off, it’s a good idea to keep the extension disabled at all times whenever it’s not explicitly necessary. Even a locked instance of Metamask is detectable, so disabling it as an extension completely will prevent any attacker from reading your information or possibly breaching security and taking over your account.

  2. Secondly, make sure you have no other (malicious) websites open when you decide to use Metamask. It’s also good practice to log right out after you do what you need to do, by clicking the three strips on the top right and choosing ‘Log Out’. If there is any malware on your computer, it will not be able to control your Metamask (unless it caught your password).

  3. Third, you should never keep any large amounts in your Metamask wallet. Even with taking proper security precautions, your account can still be seized and it is a wise idea to save your money on a more secure wallet, i.e. a MEW wallet, or a cold/paper wallet. A hardware wallet could also do the trick, such as a Trezor or Nano Ledger.

  4. And of course, as is mandatory with any cryptocurrency wallet: keep your private keys and/or mnemonic on a physical piece of paper, and not stored on any digital device. Be sure to keep the paper in a secure place.

There is little we can do for our own security until the Metamask team will upgrade their application security, but we can definitely take measures to lessen the likelihood of an attack.

Hope that works :slight_smile: and here’s my address: 0x75AcD4CeC00bE7160b5d20378608a3DA3Cc816e8


Hi, the guide is excellent, but practice is better …

MetaMask FAQ

Here are the possible vectors of attack -

Practice - An independent project that interactively demonstrates this attack vector, along with an extended look at MetaMask’s attack surface, for all MetaMask users -

I urge every user MetaMask to study this project.
Before doing what is described, create a purse for 1 time (this is for those who are afraid that the site EthWalletSecurity will steal something). These attacks can happen to both unlocked and locked MetaMask accounts.



New Phishing Strategy Becoming Common


@jules Congratulations you’ve been rewarded for 1st place!
@tissor Congratulations you’ve been rewarded for 2nd place!