Sherpa takes us back to basics with a Metamask overview. Covering best practices and how to stay safe while using self custody.
Metamask can be your passport to a host of web3-connected experiences, but to the uninitiated it can also feel like a never-ending series of scams, phishing sites, and pitfalls.
It’s both, actually. Most folks who’ve been around for a while tend to liken crypto to the “Wild West”; there are countless opportunities, which is why people head to these frontiers in the first place. There were just as many ways to die, though, and crypto is very much the same.
This week, we’re going to cover some “best practices” when it comes to using Metamask.
If this is your first time setting up Metamask, you may want to head on over to their “Getting Started” guide to get step-by-step instructions for each browser.
It is fairly straightforward, though. Before we actually install, let’s go ahead and cover best practice #1.
- #1: Use a CLEAN (and not public) device. This should preferably be an actual computer, although I know plenty of people use crypto mostly on mobile. This opens you up to a lot of different attack vectors, such as sim-swapping, as well as physical threats due to you having all of your assets on your person.
Think about it this way: if someone sees you using a crypto app, then suddenly your phone is as dangerous as if you were carrying a large sum of money in your physical wallet.
With that said, even folks using a computer can open themselves up to a lot of problems if they’re visiting suspicious sites, downloading from unknown parties, or sharing the computer with someone who might not be utilizing best practices. The point is, having a “crypto-only” device might be a better investment for some than a hardware wallet.
With that out of the way, you can go ahead and install metamask on your clean device, knowing that we won’t be clicking any suspicious links or connecting to anything we don’t 100% trust. Right?
As you’re installing the extension, you’ll get this notice asking if you’re recovering a wallet or if you are setting up a new one.
If you’re creating a new wallet, here’s where we’ll get to best practices #2 and #3:
- #2: Make sure you save your recovery phrase in a safe place. We’ve gone over myriad options in other articles, but the fact is: the how is entirely up to you. You know what is safest. An unencrypted document on your computer isn’t it. A “Notes” app on your phone isn’t it.
Maybe it’s hand-written, laminated, and stored in a fireproof safe. Maybe elsewhere. Maybe you use a hardware wallet. How much you have & how much you’re willing to spend on safety is going to determine how you protect your seed phrase. Just be mindful that it is your responsibility alone.
- #3: You know how we just went over all this stuff about storing your seed phrase somewhere safe? That is because metamask’s recovery is wallet-based, so in case your device explodes or something you should be able to restore your wallet using your seed phrase, and then “create account” until all of your accounts are recovered.
This doesn’t always work. Especially when you start importing addresses created elsewhere, Metamask might not always restore everything you need it to.
For this reason, on each account/address you create in Metamask, you’ll also want to Export the private key, and store these somewhere just as safe as your seed phrase. Preferably different places, but you do you.
You can export the private key for an individual account by clicking the ‘options’ for that account (three dots in a line) and clicking Account Details.
From there you can click Export Private Key in order to store that, yourself, in case seed phrase recovery misses an account.
Okay, with that done, your metamask should be all set up. You’ll need Ethereum in it for gas, but let me add on another quick step if you’re going to purchase NFTs or tokens:
- #4: Create a second address/account to actually use for transactions. The reason for this is that you can check the cost of a transaction, first, including gas, and send that and maybe a pinch more.
When you’re done transacting, you empty the Ethereum from the account, but leave the assets in it. This makes you MUCH safer if it is the only account you are connecting for transactions, because most fake mints & other malicious contracts will either try to take your Ethereum or transfer our your best assets.
If you don’t have any Ethereum in that account, then they can do neither of those things. The important thing is to never connect your main Ethereum-holding account to any of these sites; only use it to transfer to/from your transacting account.
Sounds complicated? Maybe a little bit, but you wouldn’t believe how effective the poverty defense is. I thought of this countermeasure after inspecting so many fake mint sites, and finally being taken by one. Luckily, all they were able to get was a small amount of Ethereum, because that is all I kept in that account.
Frequently, that will be the easiest line of defense, unless your seed phrase is compromised, in which case all of your metamask accounts are. Again, why it is important to store it safely & only connect to sites that you trust. Leave the scam sniffing to folks with less at play.
While we’re on the subject of “safety”, you should also take a minute to concern yourself with privacy.
- #5: Always use a VPN when doing anything crypto-related. Not doing so exposes your IP address to every website you visit and potentially your physical location. This is also why you should never talk about trade size or amounts on social media. Don’t make yourself a target.
Many people in crypto have switched from Chrome to the Brave browser because they don’t want Google tracking their online activity. As an added perk, it is also faster and uses less battery than other browsers. I will caution that it doesn’t always work with some dapps or crypto platforms, so I keep Opera or Firefox handy as a backup.
You can also Sandbox your MetaMask by creating a separate browser profile that is only used for crypto and has no other browser extensions installed. Simply switch back and forth between your crypto profile and your web browsing profile.
Finally, as you’re interacting with dapps & platforms, you’ll be approving access to them for different things. Tips #6 and #7 deal with both methods of revocation. Some of this access you can revoke in metamask, and you should do this as often as possible. It doesn’t cost anything, either. You never know what site or platform might be compromised in the future, so keeping your approvals at a minimum is key.
- #6: You can revoke a fair amount of access in metamask itself, by visiting the same options menu we used before and going to Connected Sites, and clicking ‘disconnect’ by each. Note that you will need to do this for each address/account.
- #7: You can also visit Etherscan’s Approval Checker for token-specific approvals. This is where you’ve granted allowances to use some amount of your token to one dapp or another. Usually approving tokens or NFTs before trading on Uniswap or Opensea.
If you still hold some of those tokens, though, and don’t plan to trade them in the immediate future – it might be worth the small bit of gas to revoke that approval.
You can connect to web3 using metamask here on Etherscan in order to revoke those approvals. Just enter your address or ENS in the approval scanner linked above, and click the connect button next to your displayed risk.
This list of best practices is by no means exhaustive, and you should constantly be adding new methods of protecting your assets as you learn them. We’ll try to keep you updated here, but feel free to let me know on Twitter if you have another “best practice” for Metamask.
Until next time; research more, trustless.