Background

Over the course of May 30–31st 2018, MetaMask rolled out version 4.7.0. to our users. Among other changes, this new version modified how we store account nicknames, to allow some of our architecture to evolve more easily.

A side effect of this was a change to our data schema, and while updating our user interface to match it, a bug appeared that caused the account list to use the full nickname list to render available accounts. This full list included any accounts that had previously been used by this installation of MetaMask, even after the vault had been restored with a different seed phrase.

Response

Upon identifying this issue, we worked continuously until we produced a patch (#4486) that removed these invalid and historical account nicknames from the MetaMask storage, and reported the problem to a central server, where we’ve been recording the number of affected users. The patch was then pushed to all clients via auto-update.

Using the metrics we’ve collected on this bug, we have estimated around 2000 installations of MetaMask were affected and automatically fixed. Most of these accounts were never used. A majority of the used accounts were barely used (less than $10 worth of ether), and most of the rest have some activity, implying they are safely backed up and usable on another computer.

Finding the bug quickly was in part thanks to Mukesh Mali and Dhananjay Prajapati, who reported the issue to MetaMask and worked closely with us to help us resolve the problem as quickly as possible.

To thank them for their contributions, and in the spirit of our bug bounty program, MetaMask has awarded them a bug bounty for their efforts.

Were You Affected?

To be affected by this bug, you would have to have:

Used MetaMask over this weekend.

Saw an account that you had never used, or hadn’t seen in a long time, and did not have the backups for.

Copied this account’s address, and sent ether or tokens to it.

If these things happened to you, you may have sent ether or tokens to an account that can not be recovered with your main seed phrase.

It is possible that these accounts were associated with an older seed phrase that you used with MetaMask. If this is the case, make sure to back up your seed phrase again, to make sure you have all the latest info copied down safely.

Conclusion

MetaMask takes your account security very seriously. We began making this tool to empower people to use the decentralized web, and we can’t deliver on that goal without protecting our users to the limits of our ability and the boundaries of this developing technology.

If you ever experience an issue in MetaMask that cannot be easily explained, do not be afraid to open an issue on our GitHub, where we will continue to do our best to respond to pressing issues as quickly as possible.

For other user support questions, feel free to reach out to us at support@metamask.io