MetaMask Snap Technical Interpretation: Development Experience, Capability Limitations, Security, and Commercial Potential

Author: LXDAO

This article is co-authored by LXDAO expert team members Li Damao and Bruce, where we will delve into the technical aspects of MetaMask Snap. What is MetaMask Snap? What technical capabilities does it have? How is security ensured? What is the development experience like? These questions may determine the future potential of MetaMask Snap.

What is MetaMask Snap?

A few days ago, ConsenSys announced the public launch of the MetaMask Snaps Open Beta. MetaMask Snaps can extend the capabilities of the wallet by allowing the installation of apps (Snaps) created by third-party developers to gain new features.

If ConsenSys has turned MetaMask into WeChat, then Snaps are like WeChat mini-programs. This illustrates MetaMask's ambition; combined with ConsenSys's scale and MetaMask's user base, the landscape of the wallet space will change as a result.

Currently, the official has announced 35 available Snaps and launched the Snap app store at https://snaps.metamask.io/.

Overview of Some Snaps

So what exactly is MetaMask Snap from a technical perspective? What are its capability limitations? Is it secure? What is the development experience like? These may all determine the future potential of MetaMask Snap.

Since last year, LXDAO has been deeply researching the implementation of Snaps, and several members have participated in Snap development and actively engaged in related hackathons. Today, we will explore the above questions from a technical perspective and actually develop a Snap to give you a feel for the developer experience of Snaps.

First Experience with MetaMask Snap

Installing MetaMask Snap

Typically, you can install it through the official MetaMask Snap marketplace or directly from the project's official website. Taking UniPass as an example, when you visit the application page, a button will be provided to link to MetaMask.

After clicking, the Snap installation will proceed:

Using MetaMask Snap

Once the installation is complete, you can start using the corresponding products and features. In this application, UniPass creates a smart contract account for you, allowing you to operate through your MetaMask EOA account.

When you execute a transfer, UniPass will pop up a Snap to confirm whether you want to perform the operation on the UniPass AA wallet.

After confirming through MetaMask, you can execute the relevant operation. In this scenario, MetaMask gains the ability to control the UniPass AA wallet through Snaps, allowing UniPass to enable users to operate the wallet without developing a wallet plugin themselves, and also to attract users at a very low cost using MetaMask!

What information can we gather from this installation and usage process?

1. Snaps have relatively fine-grained permission controls, including permissions for linking wallets, network requests, etc. The overall design adopts the Principle of Least Privilege, prioritizing security.
2. From npm:@unipasswallet/unipass-snap, it can be seen that Snaps are managed based on NPM for packages and versions. More details on security will be introduced later.
3. Snaps offer a high degree of flexibility, allowing developers to create and decide the content and logic displayed according to project needs. However, the UI is relatively simple and has room for optimization.
4. The experience of using Snaps is very straightforward and reliable, indeed reaching the level of a Beta version and production environment.

For a wallet product, security is always the top priority. Next, let's analyze the security design of Snaps.

Is Snap Secure?

Analysis of Snap Code Execution

As mentioned above, Snaps are managed based on NPM for packages and versions, indicating that Snaps are essentially web and JavaScript applications. It is well-known that JS syntax is very flexible and free, making it easy to lead to XSS and phishing attacks. How does MetaMask Snap address this challenge?

Through some research, it is not difficult to find that MetaMask funds Agoric and has deeply integrated the Agoric team's Hardened JavaScript (also known as Secure EcmaScript) as its "fully virtualized" sandbox solution. Agoric has designed a restricted JavaScript API and submitted a draft proposal to TC-39 (the JS standardization association), which can be found at: https://github.com/tc39/proposal-ses.

In simple terms, Hardened JavaScript is a more secure subset of standard JavaScript. It leverages some JS capabilities and mechanisms while reducing the permissions and methods for calling certain JS APIs, thereby lowering some risks. It creates a secure sandbox for the corresponding code to execute while adhering to the Principle of Least Privilege for planning code permission control.

Agoric and MetaMask collaborated to develop the LavoMoat (https://github.com/LavaMoat/lavamoat) project to enhance the security of Snaps. LavaMoat is a set of tools focused on addressing security risks from external dependencies in JS projects, increasing restrictions on certain APIs and logic.

Agoric and MetaMask have jointly initiated black-box and white-box security offensive and defensive tests, producing detailed security reports. Therefore, at the level of code execution, we have ample reason to believe that Snaps are secure.

Snap Code Must Be Open Source and Audited

In addition to having a clear user authorization process and a minimal permission design, becoming an officially recognized Snap must involve open-source code, significantly reducing the possibility of malicious code being included in Snaps through community efforts.

Moreover, we have also found that all Snaps on the official website must undergo code audits by third-party security companies before being released. This greatly enhances the security credibility of Snaps, with auditing firms including the well-known SlowMist.

Currently Identified Security Risks of Snaps

Since Snaps are currently based on NPM for package and version management, there is a certain possibility of changes at the code level, and since auditing is not mandatory, certain security risks may arise.

Because MetaMask cannot control the version releases on the NPM platform, project teams can release new versions for users to install at any time. Due to the cost of auditing, auditing companies do not audit every version, which can lead to a situation where changes in the latest version may not have been open-sourced or audited.

However, since the execution environment is a sandbox and employs a minimal permission design, unless users manually confirm new permission changes, new version Snaps will only have the permissions of the previous version to execute operations. But if a Snap requests excessive permissions, this could still pose a risk, so caution is still needed when installing and using Snaps.

Technical Capabilities and Limitations of MetaMask Snap

Although MetaMask Snap was officially announced recently, it has actually been in development for four years! The initial concept of MetaMask Snap was proposed by Dan Finlay on October 10, 2019, in a Medium article.

Balancing security, flexibility, and effectiveness is a significant challenge, and it is evident that MetaMask has invested a lot of resources and preparation for this day.

Currently, three major APIs have been opened:

1. Interoperability, allowing developers to develop wallets for other chains based on MetaMask.
2. Transaction Insights, allowing developers to obtain transaction data before users initiate transactions to analyze potential risks.
3. Notifications, enabling Snaps to directly push messages to users (though this seems to require website support, which is somewhat limiting).

Below is a brief introduction to the specific capabilities and effects that MetaMask Snap offers, to give you a more intuitive understanding.

Notification Capability

The Snap_notify interface can display notifications in MetaMask or the browser. Snaps can send messages directly to users through this interface, as shown in the figure below.

Transaction Insights Capability

When users interact with a smart contract, MetaMask will trigger the Snap's onTransaction event, passing the unsigned raw transaction to the onTransaction handler method. Snaps can return an interface on the transaction confirmation page and customize the displayed content.

With this capability, functions such as secure auditing of transaction information and extended information display can be achieved.

Dialog Interface and Custom Interface Capability

The Dialog capability will allow Snaps to directly pop up an independent window, achieving similar functionality to traditional Alert/Confirm/Prompt pop-ups (as shown below), used for reminders, confirmations, submitting information, etc.

Through Dialog, you can customize simple interactive interfaces and operations to connect with your DApp.

What Functions Cannot Be Achieved by MetaMask Snap for Now?

Due to security reasons, Snaps currently do not support third-party front-end frameworks and only provide a limited number of UI kits. Below is an example using insight to showcase all the UI components that developers can call.

As shown in the figure, currently available components include Heading (large text), Text (small text), Panel (card that can only be used once), Divider (separator), Copyable (click to copy), and a small subset of Markdown (bold and italic). Therefore, building interactive elements seems temporarily unfeasible, and embedded HTML cannot be used for interactive operations. However, after inquiring in the official Discord, the team stated that these limitations are for security reasons and will be relaxed in future versions.

Additionally, for the same security reasons, external requests only support the Fetch method and do not support more request protocols like WebSocket. Due to security, capability, and privacy restrictions, it is also impossible to access client information, such as the current URL that invoked the Snap, preventing the implementation of richer and more diverse functionalities.

Most of these issues and limitations stem from security considerations, and it is believed that more permissions will be opened up in the future once security is validated.

With these APIs, MetaMask has effectively become a product similar to an open platform. This feels reminiscent of when WeChat launched public accounts and mini-programs, instantly transforming it from a simple chat tool.

MetaMask anticipated today's market landscape back in 2019, where there are numerous public chains, projects, and various customized wallet needs. Instead of each project needing to develop its own plugin while users have to install several plugins, it is better to develop based on MetaMask Snaps. In the first batch of released Snaps, we also found wallets for non-EVM ecosystems like Sui Wallet, Solana Wallet, and Arweave Wallet. With its existing user base, MetaMask Snaps will undoubtedly have a significant impact on the wallet landscape.

In fact, the potential of MetaMask Snaps may be even greater than we initially imagined, extending beyond the realm of wallets. We can also see works from the EthSign team, which created a universal password manager KeyChain based on MetaMask Snaps, allowing all passwords in the browser to be encrypted and stored with wallet keys. This way, managing the wallet also secures all passwords.

Snaps are highly relevant to developers. With the open APIs, what is the actual developer experience like? Let's try developing a Snap ourselves to experience it.

Directly Developing a Snap Test

Organizing Thoughts

It is well-known that most users, in the vast majority of cases, do not actually know what smart contract they are interacting with, mainly including the following questions:

• Is the transaction contract a phishing site replacement contract?
• Is the transaction contract an upgradable contract?
• Is the smart contract newly deployed with few verifications?
• Is the transaction contract open source?

For ordinary users, asking them to read the Solidity code of the contract before performing an operation is quite unrealistic. At this point, it is very suitable to use the Transaction Insight feature to implement some smart contract analysis, such as using AI to conduct a relatively superficial security audit of the smart contract, which may filter out 80% of low-level phishing attacks.

Preparing the Development Environment

Download the Wallet

First, you need to install MetaMask Flask.

MetaMask Flask is a developer-centric release of MetaMask, mainly for previewing new features and developing experimental functionalities. Note that this is the developer version of MetaMask, so please do not use it for daily activities or import your regular private keys. Flask is used here mainly for the convenience of local instant previews of the Snap we are developing.

It is recommended to temporarily turn off the regular MetaMask wallet and other browser wallets after installation, or create a new Chrome profile to avoid conflicts.

Create an Account

After installing the wallet, create a new wallet just like you normally would with MetaMask. Please note that this is a wallet specifically for testing, so do not import your regular wallet.

Next, we need to top up the newly created wallet with some test tokens. Test tokens can be obtained through faucets; the Snap discussed in this article uses Goerli, so the following will focus on Goerli.

Initialize Snap Based on a Template

According to the official documentation, first use the @metamask/create-snap CLI to create a new Snap project, and we will initialize it using the official template:

Snap File Structure

The main files for the Snap are located in ./packages/snap, and the directory structure is as follows:

The Snap configuration file is placed in snap.mainfest.json, and the main file for the Snap is ./src/index.ts, which is very simple.

Enabling Permissions

First, we need to enable permissions by adding the following three lines in snap.mainfest.json:

The Mainfest file can also modify the description and proposedName to change the project's description and name.

Getting Transactions

Next, in this case, we only need to modify the index.ts file to complete all functionalities. A simple code example is shown below; for the complete runnable code, please visit: https://github.com/LidamaoHub/insights.

For more content, please refer to the MetaMask Snap developer documentation to complete more complex Snap products.

After installation, you will see similar risk warning messages for each transaction:

Currently, the development experience of Snaps is very smooth, with almost no issues encountered, and the official templates are also very rich and diverse. Experienced developers can typically get started and begin developing their required Snaps within a few hours. However, to be officially released and made available to mainstream users, the biggest hurdle will be security audits. Not all independent developers and small teams have the resources to audit their Snaps. Therefore, it can be expected that the quantity and richness of Snaps will not see a significant explosive growth for a long time.

Developer Support

If you can successfully run the above example, congratulations, you have become a qualified entry-level Snap developer!

MetaMask officially established the MetaMask Grants DAO last year, which funds high-value projects within the MetaMask ecosystem through grant programs. The MetaMask Grants DAO is an employee-led experimental initiative that provides grants to external developers worldwide to build impactful experiences within the MetaMask ecosystem. MetaMask injects a portion of its profits into this DAO each quarter, with the current annual budget for the MetaMask Grants DAO being $2.4 million.

Currently, any project that enriches the MetaMask ecosystem can apply for the official MetaMask Grants DAO (MetaMask Grant). For more information, please visit https://metamaskgrants.org/.

It is worth mentioning that LXDAO is honored to have applied for MetaMask Grants this year and participated in related project development, establishing a communication channel. If you are a member of LXDAO with relevant ideas, you can contact them more efficiently to submit applications.

Conclusion

We have technically analyzed what Snaps are, whether they are secure, their capability limitations, and the developer experience. In summary:

• Snaps are similar to WeChat mini-programs, opening up greater imaginative possibilities for MetaMask.
• Overall security is good, but there are still certain risks, and vigilance is needed regarding high-risk permissions.
• Due to security considerations, the currently available capabilities are limited, but Snaps can still generate sufficient imaginative space.
• After four years of refinement and testing, the developer experience is excellent; however, due to security considerations, a whitelist mechanism and auditing requirements have been designed, so it can be expected that there will not be a massive influx of Snaps in the near future.

Currently, MetaMask Snaps are still rapidly iterating, and it is believed that more permissions and capabilities will be opened up in the future. It is hoped that a more open yet secure mechanism will be introduced, such as Apple's official audit review mechanism and official code repository version control, to allow more developers to participate at a lower cost. If this issue is improved, it can be expected that there will be a significant demand in the future, and even dedicated Snap developer positions may emerge.

With a vast user base of MetaMask, independent developers may also have certain opportunities. Let us wait and see the next breakthrough innovation brought by Snaps.

Finally, thank you for your article, which I believe will help more people understand the current development status of MetaMask Snaps.