Metamask не анонимен
1. Когда вы открываете Metamask, он отправляет запрос ethCall на RPC, чтобы узнать, сколько токенов показать вам. Этот запрос включает ВСЕ ваши адреса.
2. Провайдер RPC видит IP-адрес, информацию о браузере и операционной системе.
3. Если у них есть другие метаданные, связанные с IP-адресом, они могут связать эти учетные записи с моей реальной личностью (к примеру соц-сети).
4. Отправка данных происходит, даже если вы не ввели пароль, а просто нажали на иконку Metamask.
Хотя, если ты не занимался криминалом, ебать тебя это не должно.
Способ как остаться полностью анонимным я не знаю. Удачи
DERP Example 1: Metamask Linkability
HOPR’s DERP tool makes it clear just how much metadata is revealed to RPC endpoints when you use crypto services, even if you don’t actually make a transaction. You can visit derp.hoprnet.org to start experimenting right away, but it’s not always clear exactly what the data means (although it should be immediately obvious that there’s a lot of it!)
Intro to D.E.R.P.As part of our Hop on Board event, HOPR is (dubiously) proud to present DERP, the Dumb Ethereum RPC Provider.medium.com
To help understand the implications of DERP, we’ve prepared some examples to showcase some of the privacy issues which plague today’s most popular crypto tools.
Our first example is the simplest, but it might be the most surprising. I consider myself a very careful crypto user, but it turns out I’ve been unwittingly broadcasting links between the wallets I control every time I open Metamask.
I avoid software wallets where possible, but the reality of DeFi today, especially running a crypto project which employs dozens of people and sometimes needs to make fast payments, is it’s not always feasible to do the hardware wallet dance.
Metamask is the most popular software wallet, boasting over 21 million users. Metamask makes it easy to generate new accounts from the same private key / secret recovery phrase. From a cryptographic perspective, you can have a functionally limitless number of such accounts, each completely separate and private. As long as they never interact on chain, nothing about their public keys would indicate they’re controlled by the same person.
And this is how many people use Metamask: it’s great to have multiple accounts all in one place. Perhaps one that only touches DEXs and DeFi, another that interacts with centralized exchanges. Or just a way to diversify assets across multiple unlinked accounts. Or — and of course we’d never endorse this :) — one account that the taxman knows about and others that are still dark.
If you’re using Metamask like this, you’re probably happy that your accounts are private. Of course, you have to remember to be careful to use the right account each time, and to never send tokens openly from one to the other, even via a third account, but with a bit of careful juggling, and maybe using privacy services like Tornado cash, there’s nothing to link the addresses together, right?
As soon as you start up Metamask, it sends an ethCall request to an RPC endpoint so it knows how many tokens to show you in the UI. This request contains ALL your addresses, one after the after, even if you’re only interested in using one.
To showcase this, I set up a new Metamask wallet and added several addresses, including:
- 0x5faA0481F44cfe891416d5d4aA59254E45b7dfE0 (alias: Exchange Account)
- 0xBab83b4a2dfC5732a004460E24b86C4dA1050214 (alias: Declared Account)
- 0x0c89EDd253CFD1a95a9d56A11dcd7f0A1ea9eEb0 (alias: Secret Account)
Now look what happens in DERP when I fire up Metamask.
To understand what’s going on here, we need to break down the data in this payload.
[
{
“to”: “0xb1f8e55c7f64d203c1400b9d8555d050f94adf39”,“data”:“0xf0002ea9000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000000040000000000000000000000005faa0481f44cfe891416d5d4aa59254e45b7dfe0000000000000000000000000bab83b4a2dfc5732a004460e24b86c4da10502140000000000000000000000000c89edd253cfd1a95a9d56a11dcd7f0a1ea9eeb0000000000000000000000000c8c851d72ac72836cd1e7a2d5f55d92f7b48bfe500000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000”},
“0x0”
]
The “to” address is this one here: https://etherscan.io/address/0xb1f8e55c7f64d203c1400b9d8555d050f94adf39
It’s the Balance Checker contract. This makes sense. Metamask needs to show you how many tokens you have, and it needs to get that information from somewhere.
Now let’s look at the data being sent.
As with all Ethereum RPC requests, the first four bytes (eight characters) after the 0x identifies the function being called. You can visit 4byte.directory to find out what it is.
Here it’s f0002ea9, which we can see is getBalance.
Next we have a lot of zeros. These are simply space fillers.
Now we have the first address. As you can see, it’s 5faa0481f44cfe891416d5d4aa59254e45b7dfe0, “Exchange Account” in my Metamask list.
Then more zeros, and another address. 0xbab83b4a2dfc5732a004460e24b86c4da1050214.
Exchange Account in my Metamask.
This pattern is repeated until we reach the end of the data.
So what does this mean?
It means as soon as I open Metamask, an RPC provider receives a full list of ALL the addresses under my control. All that cryptographic ingenuity to create unlinkable addresses from the same private key, destroyed in a fraction of a second.
On top of that, the RPC provider sees my IP address and browser and operating system info. If they wanted to, they could store and/or share this information with a third party, who would now know that these accounts have the same owner. If they have other metadata linked to my IP address they can maybe link these accounts to my real world identity. Remember, no transactions have occurred: there’s no need for complicated chain analysis.
What’s worse, it’s possible to trigger this call just by clicking the Metamask extension button. Here’s the same thing happening without me even entering my password!
Obviously Metamask needs to populate its UI with your account information. In a web3 world, the only way to that is via RPC calls. But it’s not necessary to combine so much information into a single call. That’s Web 2.0 thinking being carried over carelessly into web3. It’s understandable why this happened, but it needs to be fixed.
HOPR’s Role in the Web3 FutureClear and consistent values are an essential part of breaking the Web 2.0 stranglehold and moving to a free, private…medium.com
Next time, we’ll be showcasing how it’s possible for a malicious RPC provider to mess with your NFT collection.
Website: https://www.hoprnet.org
Testnet: https://network.hoprnet.org
Twitter: https://twitter.com/hoprnet
Telegram: https://t.me/hoprnet
Discord: https://discord.gg/dEAWC4G
LinkedIn: https://www.linkedin.com/company/hoprnet
Forum: https://forum.hoprnet.org
Github: https://github.com/hoprnet
