Decentralization isn’t always what it is purported to be, and there could be hidden dangers lurking in your wallet.
A couple of months ago, Joseph Lubin, Founder & CEO of ConsenSys and Co-creator of Ethereum said:
“The Age of Silos and Trusted Third Parties is giving way to the Age of Community and Collaboration enabled by an automated, objective, trust foundation and a decentralized finance ecosystem. The paradigm shift to a world running on decentralized protocols is in full gear.”
Joseph Lubin, Founder & CEO of ConsenSys and Co-creator of Ethereum
This all sounds great, but is a bit misleading, as it represents a vision rather than a reality. ConsenSys are the makers of MetaMask, one of the most popular crypto wallets on the market, with over 21 million users. ConsenSys recently went through another funding round, at a valuation of $3.2 billion.
Let’s look at how decentralized MetaMask itself is.
According to themselves MetaMask is “a global community of developers and designers dedicated to making the world a better place with blockchain technology. Our mission is to democratize access to the decentralized web, and through this mission, to transform the internet and world economy to one that empowers individuals through interactions based on consent, privacy, and free association.”
To me, that sounds like thousands of developers all of the world work on their code, and scrutinize every change to the nth degree to keep everyone safe.
But that is not the case. A quick look at their source at GitHub reveals over the last 6 years a total of 269 people contributed to their browser extension (which is the wallet most people use). However, a closer look reveals nearly all contributions are made by about 20 core people.
Now, I am sure these are 20 brilliant minds, with all the best intentions. And let’s face it – this is pretty specialized stuff, so let’s leave this alone for a moment to address the biggest concern…
The MetaMask browser extension, like so many other browser extensions, depends on a permission that allows it read and change all data on the websites you visit.
Yes, that technically puts everything you do in the browser at risk, including banking and whatever else you do. And not only on MetaMask’s web sites; everything you do on all web sites is available to MetaMask.
This is not a problem limited to MetaMask, in fact very many browser extensions share this problem. Chris Hoffman, Editor-in-Chief at How-To-Geek has reported on this problem extensively. However, most browser extensions don’t also facilitate more than $10 billion in transactions, like MetaMask has done so far.
Now, as long as everything goes as everyone plans, there is no problem.
The risk you have to assess is whether it is possible, or plausible, that a browser extension like MetaMask becomes a target of a malicious attack.
For example, in 2017, a popular browser extension was hijacked, and used to push out a malicious version of the software, affecting over a million users.
I really have no way of knowing how hardened MetaMask’s defenses are, but that’s where factors like how many people actually contribute, how rigorous are the review processes come into play. The combination of the two factors mentioned above means that the risk of the MetaMask and nearly all browser extensions is simply too high for me.
Good news is they recognize this is a problem, as seen by this RFC here.
In the meantime, I am not using MetaMask, but other wallet providers.
What you do, is up to you.
Vik Bulletin 