DEV Community

Luis Lucena
Luis Lucena

Posted on • Updated on

What are MetaMask "Accounts" or "Sub-Accounts"? And why are they not as private as they are supposed to be?

When a wallet is created in Metamask, the famous seed phrase (or seed phrase) is generated, which are 12 words that must be stored securely. This seed phrase is generated by the BIP39 standard (BIP = Bitcoin Improvement Proposals). They come from a list of 2048 words.

Each of these words corresponds to a number, so the 12 words are actually equivalent to 12 numbers, which it is important that they are in order.

Image description

Based on the 12 numbers (seed integer) and using the SHA256 hash function, a private key is generated. Then the public key corresponding to the private key is derived using the ECDSA (Elliptic Curve Signature Algorithm).

Finally, the previously derived public key is hashed with the keccak256 hash function and from the resulting hash the last 20 bytes are taken, a 0x is added in front and this results in your Ethereum address.

Image description

Let's say to sum it up, the flow goes something like this:
Seed phrase > Seed integer > SHA256 > Private Key > ECDSA > Public Key > keccak256 > Last 20 bytes + 0x > Your Ethereum address🤓

Then the password with which you configure MetaMask is used to encrypt the private key on the device (browser or cell phone). This is why it is VERY important not to set a basic password, because if the key store file is stolen, they will be able to crack it easily and empty your wallet

Image description

So far it's all very nice and quite simple. This address created is your "Default account" or the first account or address you see created in MetaMask as soon as you generate it or import the seed phrase.

Then let's remember that MetaMask allows us to create N "Accounts" or "sub accounts" or "address". These accounts are all controlled by the same seed phrase but each one has its own address and therefore its own public key and private key.

Image description

To create these sub-accounts, MetaMask takes the private key of Account 1, hashes it, and from this hash function comes Account 2. It then hashes Account 2 to generate Account 3 and so on N times. Each account is the resulting hash of the previous account.

Image description

As each Account has its own address and therefore its own public and private key (and they were generated by hashing each one from the previous one), the different addresses or accounts cannot "IN PRINCIPLE" be linked by someone who does not know the private key

Image description

This means that although I control N address, nobody could know that they are all controlled by the same wallet, so this is supposed to be a mechanism that gives some privacy, since I can have different wallets for each thing and nobody knows that they are all mine.

Before we go on, let's remember: each wallet has 1 seed phrase and with this seed phrase controls N amount of address which each one has its own private key and its own public key.

All very nice and very secure at cryptographic level, BUT (there is always a but) the system has a flaw (flaw for us who want privacy, feature for those who want to investigate us Woman detective)

Every time we install MetaMask, the app defines an API TOKEN (an identifier) that the app is going to use to connect to the Ethereum node you use (Infura by default) to bring the balance data and do the balanceOf() and to relay the transaction.

So if you have address A, address B and address C, the RPC node you use sees that the transactions going out of the 3 addresses all use the same API TOKEN (also called API KEY) and therefore knows that all 3 belong to the same wallet.

In addition to this, the nodes can save the IP (by default it is a data that is discarded, but not all do it clearly), but this is something that is quite well known so many assume that by changing the IP via VPN every time you go to operate with another address you were ok.

What can we do about it? Every time we are going to make a new transfer from a different address we have to uninstall Metamask and reinstall it, so the API key is reset. Besides changing our IP obviously, with a VPN.

The other solution is to have our own node and interact from our wallet directly with it, this way we make sure that the node we operate against is not storing any of this data that can link the addresses.

Many will think it's too convoluted, but this is one of the mechanisms used by companies doing on-chain analysis to identify everything from funds originating from hacks to following traces of individuals and organizations seeking privacy.

It does not come to the point of the thread but since we are, another mechanism is to track via cookies and browser extensions, which are the addresses we are looking for in browsers, thus linking the addresses and "inferring" that they are of the same owner

Image description


I hope you found it interesting, ideas and criticisms are welcome❤️❤️

Discussion (0)