While most of the crypto world was enjoying new all-time highs this past weekend, popular crypto trader under the Twitter pseudonym notsofast went through a personal crypto nightmare as his Metamask hot wallet was compromised in a security breach. Even though the trader reacted quickly and spent twelve hours dealing with the attack, the thieves still managed to snatch more than ETH 46 (USD 74,000), USD 34,000 worth of altcoins, and even his notsofast.eth domain. (Updated on February 28, 05:41 UTC, with a comment from MetaMask.)
The trader tweeted that he is not sure how the hack happened but a potential attack vector was MetaMask’s feature of storing the wallet’s private key in the browser’s cache, which is accessible to any open tab.
«While MetaMask does provide an API to every tab of your browser, its primary service is in keeping control of your accounts away from those sites, and ensuring they can only request transactions from the user,» MetaMask stressed.
The trader refused any donations and compensation funds from the community and urged everyone to get a password manager and a hardware wallet.
He also stressed the importance of account segregation, saying that traders should create new browser profiles for each WEB 3.0 wallet type they use, and run nothing else in those accounts. Ideally, one should use a separate computer or device that is used for crypto transactions and nothing else, he said in a tweet.
Developer and consultant Udi Wertheimer also weighed in, warning that “if you use the Metamask browser extension, it is probably the weakest link in your security plan.’’ He added:
«If you MUST use it, buy a Chromebook and a hardware wallet and use them STRICTLY for Metamask.»
According to him, while a Chromebook limits what can be installed on one’s computer, it still allows installation for potentially malicious browser plugins, so one must beware of installing them.
Wertheimer explained that even if you use a hardware wallet for interacting with Metamask, it is still a high-risk operation because of the way it handles approvals. As such, the best way to avoid issues in the future is to limit the amount of funds kept in hot wallets and compartmentalize accounts to limit the damage from exploits. He added:
«For most people, it’s probably safer to use a mobile phone ETH wallet instead of a clean laptop + hardware wallet combo. This is far from perfect too but it’s not as ridiculously weak as the Metamask browser extension is.»