Skip to content

Wallet Extension Trust Model

The Snaps Browser Wallet Extension Trust Model
(click to enlarge)

Wallet User

Enable users to authorize crucial actions with their wallet, preserving their privacy without having to trust a dApp.

  • Users must be able to verify and trust Wallet Extensions as they can get access to MetaMask privileged operations (access keys, sign on their behalf).
  • Expects full transparency.
  • Does not trust the dApp.
  • Should not have to rely on information displayed by dApp.
  • Trusts MetaMask and Snap to protect the keys.
  • Expects that keys never leave the trust module.
  • Expects the assurance that secret keys are never displayed on the screen without privacy-protecting mechanisms in place.
  • Expects MetaMask/Snaps to uphold security standards against the dApp. Security is not dictated by the dApp.
  • Expects signatures to always be generated within the trust module context.
  • Might be phished into connecting a Snap with a malicious dApp.
  • Assumes all privileged interaction is safeguarded by MetaMask and Snap.
  • Assumes full transparency over dApp interaction with Snap (no silent interactions).
  • Assumes user consent within MetaMask/Snap context (trusted) is required for all interaction (privileged like signing as well as information disclosure like dApp requesting all users addresses).
  • Expects the user experience to follow secure MetaMask design and standard dialogs.

Web Browser with dApp

Outside the trusted realm of MetaMask and the Snaps. This is the Wild West 🌵🐄🌵 and the reason we need a Trust Module in the first place.

  • dApp is not trusted.
  • Metamask extension is trusted wallet / trust module.
  • dApp might request to interact with MetaMask and specific Snaps via RPC API.
  • Wallet User must confirm the request for the dApp to interact with MetaMask or a Snap.
  • Wallet User must confirm linking dApp with a Snap.
  • Linking a dApp with a Snap is not a sign of trust. It only allows interaction between a dApp and Snap.
  • May detect and interact with MetaMask.
  • May directly communicate with connected Snaps through MetaMask RPC.
  • May be able to list Snaps installed from the current origin.
  • May request installation of Snaps.

MetaMask "Trust Module"

Allows users to interact with dApps in the Wild West 🌵🐄🌵. Guarantees safe interaction by protecting keys and preserving the users privacy. Interaction requires explicit user consent.

  • Users trust MetaMask to perform only action on their behalf upon explicit consent.
  • Users trust MetaMask to display accurate information.
  • Provides a safe way for users to interact with dApps without exposing keys.
  • Protects wallet accounts and keys.
  • Does not trust any data originating from dApps.
  • Provides restricted API to dApps.
  • Provides restricted privileged API to installed Snaps.
  • Provides restricted execution environment for Snaps.

Snap "Trust Module Extension"

Extends MetaMask functionality. Allows users to interact with dApps in the Wild West 🌵🐄🌵. Guarantees safe interaction by protecting keys and preserving the users privacy. Interaction requires explicit user consent.

  • Runs in a restricted execution environment within MetaMask.
  • May request to offer RPC endpoints to dApps.
  • May request to schedule recurring tasks / callback.
  • May request to communicate with 3rd party HTTP services.
  • May request to access MetaMask's Ethereum endpoint.
  • May request to access derived coinId account keys.
  • May request to be hooked into Ethereum transaction signing dialogs.
  • May request to run WebAssembly.
  • May display dialogs and notification with MetaMask.
  • May store information within MetaMask.
  • Users expect Snaps to provide the same security guarantees MetaMask provides.
  • Users expect to be fully informed of any invocation of Snaps functionality.
  • Users expect the Snap to be safeguarded from potentially malicious origins.
  • Users expect the Snap to perform only actions upon explicit user consent.