MetaMask Monthly

Monthly updates from the MetaMask Team

This month was an action packed month for MetaMask! The team had the pleasure of speaking at DevCon 5 in Osaka Japan. Here we shared some exciting announcements, and shed light on the direction we believe the future of web3 is headed.

The MetaMask Team at Devcon 5

Snaps: The Metamask Plugin System.

At this talk Dan and Erik presented our new MetaMask Snaps plugin system!

During the last four years, MetaMask has had the privilege of helping a huge community of visionary developers establish footing in a new kind of computing ecosystem: One where users control their own accounts, where accounts control their own funds, and where the speed of innovation is the only gatekeeper.

It wasn’t long before we started feeling the weight of responsibility on our shoulders that comes from building a platform that aspires to meeting the needs of such a diverse and brilliant ecosystem. We enabled the ecosystem, but in many ways we also dictated the pace of innovation. The features we added were becoming a kind of gatekeeping, a bottleneck on innovation. The tokens we listed. The signature schemes we supported. The networks we display by default. We took some initial steps at moving these choices back into users’ hands, but we knew it wasn’t enough. We had to do more.

With MetaMask Snaps every plugin created has the ability to provide its own API to the sites that a user visits, as well as to other plugins, allowing plugins to build on each other, in a sort of decentralized dependency graph. For example, a state channel plugin might rely on a whisper plugin. This will certainly increase the pace of innovation leading to endless possibilities but here are a few.

New asset types(tokens, Subscription, credit lines, CDPS, etc)

- New protocol support (ipfs, ssb, dat, gundb)

- New Layer 2 integration!

- New account types (Remote signer, New contract accounts)

- New signing methods

- Custom confirmations for users

If you want to read a more in depth dive into the plugin system check out the full article HERE. Or our condensed tweet thread HERE. For those ready to dive in and try it for yourself, please head down to our plugin-beta wiki.

Ethical Design Practices For Web 3.0

At this talk Jenny and Omna provided a map of the current landscape and where we are today. In product design there are many best practices that are already defined and applied such as functionality, reliability, usability and delight. These are the good components of UX but there is a piece missing which is Ethics, specifically user control. Without it we believe there is a fundamental flaw in creating human centered products.

The good news is ethical design practices are emerging and we at metamask hope to continue building with these principles in mind.

1. Informed consent: This means providing clear requests. Making site requests comprehensible and modifiable. When a person grants a permission to someone after understanding carefully and properly what they are signing up for. The challenge is designing something making sure you communicate the entirety of the permission but without overloading the user with information. For example we are currently working on modifications to our deigns that enable users to select allowances they want to trust a DApp with instead of their entire account balance.

An example of a new design showing informed consent and comprehensible clear requests

2. Granular control: We want to provide people with the right amount of control to manage what they are consenting for. This also means you should have the ability to review and manage these permission in an comprehensible way. This is why we are looking to adding “Revocable permissions”. We are on a mission to make it easy for users to manage these permissions by contextually providing this setting in the right place of the interface.

An upcoming design allowing users to manage the connects that they have with DApps.

3. Treating trust as a spectrum: Trust is a really important part of human experience. When you start a relationship with another person you might not trust them but as the relationship grows the trust naturally increases. This is how people and machine interaction should work as well. In web 2.0 it’s a trust dependent interaction. You trust the company to do the right thing with your information with whatever permissions you gave it to do. In web 3.0 you should have the ability to share progressively. When you first sign up for an app you might not know it very well. So it makes sense that you shouldn't have to share everything upfront with that application. Essentially you should have the power to pick and choose what the application can do. This results in proving safety nets for our users. At MetaMask we are looking to implement features such as

-Daily spending limits

-Per transaction spending limits

-Application specific spending limits

With this new design the user can mindfully choose to share what they are comfortable with.

In this situation where there will be a variety of permissions that applications will be able to ask from users. We wish to enable and empower DApp builders to ask the right kind of permissions at just the right moments. Read more about our permissions system HERE!

We want to talk to you DApp builders! We want to know we can simply your product experiences while also keeping the user control standards high.

Please shoot us an email at ux@metamask.io

Introducing LavaMoat!

Lastly Kumavis revealed LavaMoat which is a new set of tools for securing JavaScript projects against a category of hacks called “software supplychain attacks”. App developers commonly use many third party tools called “dependencies”. If an attacker is able to get a malicious dependency into a developers’ app, it may be able to steal important secrets like private keys that control digital assets.



These attacks have already hit the cryptocurrency ecosystem and present a significant risk for the developers and users of wallets and apps. While this category of attack is especially relevant for the cryptocurrency ecosystem, apps that deal with credit card numbers and personal information are also potential targets.



In order to help mitigate the risk of such an attack we are building a suite of tools. These range from plugins for common app bundlers (eg webpack, browserify) to dependecy analysis and visualization tools.

Check out a detailed presentation of the project below!

Please fill out this form HERE! We want to know what bundlers your using and what your use case are so we can prioritize development to helping you!

PSA: We will be Deprecating “Synchronous” Provider Methods

As part of the exciting changes we are making to the MetaMask platform, an upcoming update to our inpage provider RPC API may be breaking for a small number of dapp developers.

Starting Monday, December 9, 2019, all MetaMask provider send() calls will behave asynchronously, just as they do under the hood. They will return Promises, which will resolve directly to RPC method results. We encourage you to take a look at EIP 1102 and EIP 1193 to learn about the new APIs available to you. The new ethereum.send will be live for all other methods in the next couple of weeks, so keep an eye out for that!

Read all about the affected methods HERE.

Backup Wallet settings via 3Box

Instead of keeping MetaMask wallet data such as account information, settings, saved contacts, account nicknames, and token preferences in browser localStorage where it remains siloed, MetaMask users can now securely store this information in 3Box where it is liberated and conveniently available wherever users access their Ethereum account.

When a user restores their wallet on a new browser or device, they’ll have the option of importing those preferences to get set up immediately. That’s right, no more having to re add a token contract addresses again!

3Box is a decentralized storage system build on OrbitDB. They’re helping build the layer of user data on Ethereum to help make applications more robust and user-friendly.

If you’d prefer not to back up your lightweight account data, you can always opt-out via settings. As always, you are in control of your seed phrase & keys, which are not being backed up or sent anywhere as part of this integration.

Read more HERE!

Development What’s New?

MetaMask v 7.3.1 is out and auto-updating in browsers near you. Next time you pop it open, check out some of the improvements listed below. These changes are new as of this month.

#7252: Fix gas limit when sending a transaction without data to a contract. Prior to this it was set to 21000 by default for ETH sends even if it’s to a contract which would cause it to fail.

#6972: 3box integration! MetaMask users can now securely store this information in 3Box where it is liberated and conveniently available wherever users access their Ethereum account.

#7168: Add fixes for German translations

#7170: Remove old disk store compatable with an older MetaMask

#7176: Performance: Delivery optimized images overall size reduced by 25%.

#7189: Added Goerli test net to incoming tx

#7173: Improved RPC error messages

#7162: Add a/b test for full screen transaction confirmations. All users are placed in one of two groups. The control group sees confirmations of transactions from dapps via the current/normal notification window. The test group sees the confirmations in a full screen browser tab. The goal is to see which notification method is most effective.

#7089: Add advanced setting to enable editing nonce on confirmation screens

#7239: Update ETH logo, update deposit Ether logo height and width

#7266: fix issue of xyz ens not resolving

#7253: Prevent Logout Timer that’s longer than a week. Prevents login when setting an arbitrary large logout timer.

#7285: Lessen the length of ENS validation to 3

#7287: Fixed phishing detect script. For a short period your could not continue to flagged site without deactivating metamask plugin.

#7260: Does not allow translate on seed phrases. User is presented with the phrase in English and uses the browser’s built-in translator tool. If they try to restore this seed phrase, it will not work, and sometimes the translation back to English is not identical to the original.

In the past month…

✅ (44) PRs merged

🛠 (137) commits

💫 (22) GitHub issues closed, (33)opened

🔧 900+ support tickets solved last month

💥 2,020 lines of code added and 4,096 deleted.

If you have any questions or suggestions, you can always reach out to us directly or file an issue on our GitHub.

Thanks for reading and stay foxy!!! 🦊

Jason & the MetaMask team