An extremely casual code review of MetaMask’s crypto
NB: This post describes a very casual code review of a few cryptography functions used by MetaMask. It does not describe any vulnerabilities. If you’re the kind of person who likes a meandering and amateurish code review that goes absolutely nowhere, you’ll enjoy this post. Otherwise you might want to read something more exciting: I suggest Moxie’s post.
For reasons I can’t really explain, the other day I decided that it might be fun to spend an hour or two investigating the cryptography used by MetaMask.
For those who don’t deal with web3 things, MetaMask is a browser-based cryptocurrency wallet that is used to access decentralized applications (dapps) on networks like Ethereum. My interest in MetaMask wasn’t all that serious: I recently invested about $100 into a decentralized finance application, and I wanted to see how safe it really was. Since MetaMask is responsible for storing my private keys, this seemed like a good place to start.
I want to stress that this was an extremely casual code review: I didn’t use any tooling, didn’t even download (most) code to my computer. In fact my “review” mostly involved poking around various Github repositories to see if I could find anything that immediately jumped out as incorrect, and failing that, at least could give me a feeling for the quality of MetaMask’s crypto code. (In fact I did about half the work on my phone while eating a burrito bowl at Chipotle.)
