Skip to content

Snap Security Essentials

This document provides a baseline knowledge of security considerations for people new to developing Snaps. It is maintained by Consensys Diligence, with contributions from our friends in the broader Ethereum and security community. 💚

Welcome to the Snap Security Essentials for MetaMask Snaps—a resource designed to empower developers in harnessing the full potential of MetaMask's open-source extension system. In this guide, we will navigate through essential insights and strategies to safely extend MetaMask's functionality.

At the core of this exploration is the concept of a Snap—a JavaScript program operating within MetaMask's isolated environment (Discover Snaps).

Join us on a journey to master the best practices and common pitfalls to ensure security, innovation, and seamless integration with MetaMask Snaps.

Where to Start?

For General Understanding

  • General Philosophy: Explore the foundational mindset that shapes the security approach for Snaps. Understand the core principles guiding secure Snap development.

  • Snaps Security Top 10: Explore Snap security trends and common issues. Stay informed about the top 10 security concerns that auditors should focus on during their evaluations.

  • Tool: SnipGuardian: Explore a tool designed to visualize a Snap's capabilities, give code insights, and detect common vulnerabilities. Understand the risk profile of a Snap before installing it.

For Developers

Security is a shared responsibility, and by following the guidelines set out here, you contribute to the overall safety and trustworthiness of the MetaMask wallet Trust Module. Keep in mind that you are developing an extension for users' wallets. Thus, security should be addressed accordingly, and risk must be minimized.

  • Weaknesses Database: Learn about the subtleties of the MetaMask Snaps SDK, understanding the weaknesses and how to avoid security pitfalls.

  • Tool: SnipGuardian: Explore a tool designed to visualize a Snap's capabilities, enhance code quality, and detect common vulnerabilities. Integrate it into your development workflow for improved security.

For Security Auditors

Bear in mind, your focus is on auditing an extension within the MetaMask wallet Trust Module which extends far beyond the scope of a typical web application or browser extension!

  • Weaknesses Database: Find out about common ways the Snaps SDK may be misused. Get starting points on what to check for during security audits.

  • SnipGuardian Tool: Leverage to scope your engagements and check for common security issues. Use this tool to enhance your auditing process and streamline security assessments.

File a Pull Request: Contribute to the improvement of Snap security practices by filing a pull request. Get recognized as a Contributor and join the collective effort to enhance security. 🫶

Contributions are Welcome!

Feel free to submit a pull request with anything from small fixes to full new sections. If you are writing new content, please reference the Contributing page for guidance on style.

See the Issues for topics that need to be covered or updated.