MetaMask Security: A Complete Guide On How To Protect Your Wallet From Hackers
If your MetaMask account was hacked right now, how much would you lose? 10 percent of your assets, 20 percent, 30 percent… even more?
Have you thought about that?
In crypto, you are your own bank. But — as Uncle Ben said — with great power comes great responsibility: you protect your money, no one else.
So, how do you guard your cryptocurrencies in the harsh jungle of DeFi and NFTs? With the right MetaMask Security!
That’s why you’ll now learn how to massively increase the security of your coins with a few simple tips. And finally, you’ll get the ultimate safety hacks on how to connect MetaMask to Ledger and even prevent “evil” smart contracts from draining unlimited funds from your wallet.
(Yes, smart contracts can do that and it’s you who grants them permission. Scary, isn’t it?)
But first:
1. How secure is your MetaMask Wallet?
Can my MetaMask wallet be hacked?
This is the question most people ask themselves and the answer is:
Yes, but probably not as you think. MetaMask does not store your private keys on a server but in your browser’s data store. There, they are encrypted by your password.
Meaning?
MetaMask likely can’t be hacked, but you can be hacked. MetaMask is not the biggest risk, you are.
In total, hackers can gain access to your account from four angles:
- You, by giving away your private keys (for example to the courteous “MetaMask Support,” who messages you on Twitter).
- Your computer: via spyware and malware, hackers can spy out your PC… and your MetaMask account when you unlock your wallet.
- Your browser: You connect your wallet to the wrong website. Maybe to “uniiswap.org” instead of “uniswap.org”… and your ether runs off like water through a gutter.
- Your Wallet: If you give scam protocols unlimited access to MetaMask, they will rob you like the Joker robs a bank vault…
… so how can you protect yourself? Let’s start with a few general tips:
8 simple tips for optimal MetaMask Security
- Never give away your private keys — not to the MetaMask Support, not to an exchange, and not to Elon Musk who promises you 2 ether in return.
- Always check the URL of the D’app you're about to use and bookmark the correct URL.
- Don’t click on links from people you don’t know. (A common scam in Discord: The hacker sends you a DM with a link that takes you to a deceptively real page… you connect your wallet… and have connected it for the last time.)
- Don’t keep large sums in MetaMask — it’s your wallet, not your bank account. Or do you go to Star Bucks for a coffee with $10,000 in your pocket?
- Talk about crypto, not how much crypto you have. Otherwise, you’ll easily make yourself a target.
- Do not click on crypto ads of individual protocols. Why? Scammers place Google ads to get ahead of the real protocols in search results. So maybe “uniiswap” is at the top when you search “uniswap”.
- Never save your private keys on your computer or cell phone — always write them on a piece of paper.
- Learn your private keys by heart…
… these are the basic rules of reasonable MetaMask hygiene — just like you brush your teeth daily, you pay attention to these tips every time.
Now we’re taking it up a notch by not only protecting your MetaMask wallet but storing it in a high-security vault:
How to protect yourself from almost any hacker by using Ledger and MetaMask
What is a Ledger (or a Trezor)? It’s a hardware wallet: it stores your private keys offline, not online. What does that mean to you?
Hackers could infiltrate your computer, infect it with malware, illuminate your browser as if with X-ray vision… as long as they don’t have control over your hardware wallet, they can NOT steal your coins. Therefore:
Connect MetaMask with your hardware wallet for optimal MetaMask security. This way you combine the convenience of MetaMask (you can use any D’app) with the security of Ledger (you have to confirm every transaction on your ledger… and hackers can’t do that).
This is how you connect the two:
- Open “Ledger Live” (the software for your Ledger) and download the “Ethereum app”.
2. Close “Ledger Live” and open the “Ethereum app” on your ledger.
3. In the Ethereum app, go to “Settings” and enable “Blind Signing.”
4. In MetaMask, go to “Connect Hardware Wallet”
5. Select Ledger
6. Choose an account.
7. Enter your pin.
8. Now you can use your Ledger like MetaMask.
Now you can use all ERC-20 tokens in your browser — be it with Arbitrum, Optimism, Polygon…
… but how do you do that? How do you add an ERC-20 token?
I’ll explain this briefly by using our valuable MGH token on the Polygon network as an example.
How to use MGH (or any other ERC-20 token) with Ledger and MetaMask
1. click on “Import Tokens” in MetaMask.
2. Enter the contract address of your token.
For MGH:
- Contract Address: 0xc3C604F1943B8C619c5D65cd11A876e9C8eDCF10
- Token Symbol: MGH
- Decimals: 18
- You can find all the information again on Polygonscan
3. Click on “Add Custom Token” et voilà: Your MGH tokens are available in Ledger and MetaMask.
4. Use your favorite D’app with MetaMask
Now you can safely use any D’app. For example, our Staking app where you get — at the time of writing — 38.41 percent APR.
Is your MetaMask wallet 100% secure now? Can nothing happen to you anymore? And are your coins protected like the gold reserves of the USA behind tanks, machine guns, and the thick vaults of Fort Knox?
Unfortunately, not!
Still, predatory protocols can rob your funds if you connect MetaMask to them. Sounds bad? It sure is:
Token allowance: a “hidden” threat to your MetaMask security
Before you use any protocol — be it Uniswap, Maker or Compound — it always asks you one thing:
Is it allowed to interact with your wallet?
Here you click on either “Enable” or “Allowance,” then you can use the D’app in a second transaction. But what did you do in the first transaction?
You’ve given (depending on the D’app) permission to the protocol to spend your tokens unlimitedly. This is called “Token Allowance.”
Take Uniswap as an example:
Wouldn’t it be tedious to give Uniswap permission to exchange Ether for Dai every time? How cumbersome! That’s why you say “yes” once, and you can use Uniswap indefinitely.
This is what a “Token Allowance” looks like:
Think of it as a direct debit from your bank account: Your electricity provider collects your bill monthly without you having to agree to every transaction.
Except now Uniswap is the power provider and your wallet is your bank account. Convenient, isn’t it? But there is a serious problem with your MetaMask security:
The protocol can — depending on the smart contract and depending on the allowance — spend all your tokens in your wallet. Not only the ones you wanted to use in the protocol.
It doesn’t matter whether MetaMask is connected to Ledger or not. Because, as I said, you give the protocol full permission to spend as much as it wants (“Unlimited ETH” for example).
This is not a problem with established protocols like Uniswap — only with newer, untested protocols, you should worry.
So, how can you protect your money?
- Connect only with D’apps you trust.
- Periodically revoke token allowances that you no longer need.
How do you revoke them?
For the Ethereum Mainnet, use sites like https://ethallowance.com/.
For Polygon you proceed as follows:
- Go to Polygonscan
- Go to “Misc” in the upper right corner and then click on “Token Approvals”.
- Enter your wallet address and you will see which protocols are allowed to spend your tokens.
- Then connect your wallet and revoke the token allowance.
That’s it! That’s all you need to navigate the crypto jungle safely and securely.
Conclusion about MetaMask Security
100 percent security is a myth.
Cunning professional hackers will always find a way to steal your funds — in ways that we mere mortals can’t even imagine.
Still, you’ve done the humanly possible: you don’t share your passwords, you pay attention to the URL, you’ve connected Ledger with MetaMask, and you only utilize protocols you trust.
This makes you safer than 95 percent of all crypto users, and most hackers will have a terribly hard time with you.
Do you have any further tips for optimal MetaMask Security? Help others and write it in the comments!
How Can You Stay up to Date and Keep in Touch with MGH?
- If you want more information about MGH, visit our Website
- For a sharpshooter-like view over the whole project, read our Whitepaper.
- Work together with us in a Working Group.
- Follow us on Twitter.
- Follow us on Instagram
- Check out MGH on LinkedIn.
- Discuss, write, and celebrate with us on Telegram.
- Talk, laugh, and enjoy the time on Discord.
About MGH
At MGH we bring together DeFi, Data, and the Metaverse by following one core principle: “Navigating through the Open Metaverse together”. We accomplish this in four clearly defined steps:
- DAO Governed LANDs: MGH DAO collaboratively acquires, populates, and monetizes LANDs and respective in-game assets.
- Valuation Algorithm: Our Valuation Algorithm allows fair pricing for LANDs and will be gradually adopted to more Metaverse Assets.
- Dataverse Tools: MGH DAO is developing intuitive data tools which can be leveraged by users and ecosystems alike.
- Intuitive Metaverse d’Apps: Use MGH DAO’s tools to navigate through the Metaverse and leverage MetaFi.