MetaMask
About
MetaMask is a self-custodial cryptocurrency wallet and gateway to decentralized applications, available as a browser extension and mobile app. It lets users securely store, send, receive, and swap tokens, buy crypto with fiat, stake ETH, lend stablecoins, trade tokenized RWAs and perpetuals, and connect to thousands of dapps across multiple blockchain networks. Originally developed by Consensys, it serves as a general-purpose interface for interacting with the Ethereum ecosystem and beyond.
Where Does Yield Come From?
MetaMask offers a few different ways to earn returns on your crypto, all within the wallet itself.
1. Pooled staking — You put in any amount of ETH, and MetaMask combines it with others' ETH to run validators (the computers that process and secure the Ethereum network). Those validators earn rewards from newly created ETH and from transaction fees and other payments. Rewards build up daily, and you can take your ETH back at any time. MetaMask says its validators have been online 99.99% of the time and have never lost any ETH since the service started.
2. Validator staking — You deposit between 32 and 2048 ETH per validator. MetaMask handles running the validator hardware and software. Rewards are paid out roughly every 10 days, and you can unstake whenever you want.
3. Liquid staking — You stake any amount of ETH through outside providers (Lido and Rocket Pool) that MetaMask connects you to. In return you get a special token (stETH or rETH) that represents your staked ETH. That token keeps growing in value as staking rewards pile up, but you can also sell it, send it, or use it in other DeFi apps anytime.
Separately, there is MetaMask Rewards — a seasonal loyalty program. You earn points by swapping tokens or trading perpetuals (a kind of crypto derivative) inside MetaMask. Points can later be swapped for future token allocations (like $LINEA), trading fee discounts, and special offers. You get extra points when you trade on certain networks — for example, 2× points on Linea swaps. Points from different bonuses can also be combined.
The Earn page also mentions stablecoin lending for passive income. MetaMask describes it as "lend stablecoins to earn passive income" but does not publicly explain which lending protocols or fee structures sit behind it.
Persons
Kumavis (Aaron Davis)
Co-creator — launched MetaMask as a browser extension
Dan Finlay
Co-creator — launched MetaMask as a browser extension
Joseph Lubin
Founder and CEO of Consensys (parent company that incubated and develops MetaMask)
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
Consensys Diligence11-08-2025 - 15-08-2025 |
| The audit found no critical or major security vulnerabilities; all issues were minor code-quality recommendations or informational, with several fixed before deployment. However, the mUSD token contract relies on powerful administrative roles (freeze, pause, forced transfer, upgrade) that require exceptionally high operational security standards. |
ChainSecurity13-08-2025 - 25-08-2025 |
| The audit demonstrates that MUSD's codebase provides a high level of security, with no exploitable vulnerabilities identified across the reviewed scope; the two acknowledged informational items pose no material risk to protocol safety. |
Guardian08-08-2025 - 11-08-2025 |
| This audit found no critical, high, medium, or low severity issues—only a single informational inconsistency that was promptly resolved—indicating a mature and well-secured codebase suitable for deployment with periodic reviews as the protocol evolves. |
OtterSec (Otter Audits LLC)01-10-2024 - 10-10-2024 |
| All three high-severity vulnerabilities were resolved during the audit engagement, and the two informational findings pose no immediate threat, indicating that the @lavamoat/webpack plugin is safe for use at the audited commit with the identified patches applied. |
Consensys Diligence21-10-2024 - 25-10-2024 |
| The audit found only two issues — one minor acknowledged re-entrancy risk and a calldata validation flaw that was fixed — indicating that the delta changes to the MetaMask Delegation Framework introduce no critical or high-severity unresolved vulnerabilities. |
Consensys Diligence19-08-2024 - 30-08-2024 |
| The audit identified 4 issues in MetaMask's Delegation Framework, all of which were fixed before the report was published, reducing residual risk to the protocol. However, the severity distribution of the findings could not be determined from the converted document due to garbled severity symbols. |
Consensys Diligence01-06-2024 |
| The audit reveals a well-considered design with one Major issue (stuck tokens on implementation contracts) and several Medium architectural concerns that were acknowledged by the client; the inherent flexibility of the delegation system introduces genuine residual risk that requires careful enforcer usage and user education, particularly given the unrestricted-by-default nature of delegations. |
Cure5330-04-2024 |
| The audit identified only three minor issues (one Medium, one Low, one Informational) and confirmed that the Cardano key derivation implementation is compliant with the CIP3-Icarus standard, with no critical or high-severity vulnerabilities present in the scope reviewed. |
Cure5313-03-2024 |
| The audit found only one low-severity weakness (unpatched packages) and no critical, high, or medium issues, indicating a strong security posture for the MetaMask Message Signing Snap. The single low-risk finding is easily remediated by updating dependencies. |
Least Authority08-09-2023 |
| The audit found no critical vulnerabilities that enable fund theft, SES sandbox escape, or internal state corruption; the one unresolved finding (Snap timeout bypass) was deferred by the team as low risk due to the sandboxed execution environment, and all other issues and suggestions were resolved, indicating a well-designed system with security-conscious use of SES compartments. |
Least Authority13-06-2023 - 17-07-2023 |
| The only confirmed issue was remediated before publication, and the unresolved suggestion carries an extremely low theoretical risk; the Snaps Extension codebase appears well-designed with security considerations integrated from the start. |
Cure5303-03-2023 |
| The audit found no critical or high-severity vulnerabilities; the single medium-severity issue (invalid extended key acceptance) and several low-severity specification-compliance gaps were all assessed as posing negligible real-world risk, reflecting a solid overall security posture for the key-tree interface. |
Least Authority29-07-2022 |
| The audit found the seed phrase implementation to be well-written and compliant with BIP39 standards, but could not definitively identify the root cause of the reported seed phrase error, pointing instead to possible OS, browser, or LevelDB-level race conditions as likely contributors. |
Least Authority04-03-2020 |
| The audit found the MetaMask Plugin System and LavaMoat code to be well-architected with a clever design, but identified several unresolved issues in the Plugin System that MetaMask committed to addressing before production deployment, while two code-injection vulnerabilities in LavaMoat were successfully resolved during the engagement. |
Least Authority27-11-2019 |
| The audit identified two critical vulnerabilities that were adequately addressed (one resolved, one partially resolved with per-connection isolation), and the overall code quality and team responsiveness were commended, but residual risk around dependency compromise and plugin isolation remains until LavaMoat is fully deployed. |
Least Authority18-02-2019 - 07-03-2019 |
| The audit found no critical vulnerabilities posing an immediate threat to stored value, and all identified issues were satisfactorily resolved, reflecting a strong security posture for the MetaMask mobile application. |
Cure5327-04-2016 |
| This audit document could not be analyzed because the PDF-to-text conversion yielded unusable output; no security conclusions can be drawn from the available material. |
Backers
MetaMask is a product developed and owned by Consensys, the software company founded by Ethereum co-founder Joseph Lubin in 2014. As a product within Consensys, MetaMask does not appear to have raised independent funding rounds. The parent company Consensys raised a $450 million Series D funding round in March 2022 (as noted on Consensys' official company timeline at consensys.io/company). No other specific investor names, round details, or amounts attributable directly to MetaMask were found on the official MetaMask or Consensys websites within the pages fetched.
Legal
Legal form
Product of Consensys Software Inc., a private software company (corporation)
Registration jurisdiction
United States (Texas, based on registered address: 5049 Edwards Ranch Rd, Fort Worth, TX 76109 and governing law clause in the Terms of Use)
Status and notes
MetaMask is a product built and operated by Consensys Software Inc. ("Consensys"), a software company founded in 2014 by Ethereum co-founder Joseph Lubin. The MetaMask website footer states "©2026 MetaMask • A Consensys Formation." Terms of Use (last updated February 2024) and Privacy Notice (effective 18 June 2024, last revised 17 December 2025) are published and linked from the site. Legal notices to Consensys can be sent to 5049 Edwards Ranch Road, Fort Worth, TX 76109, USA, or via email at [email protected]. Privacy-related requests: [email protected]. No standalone MetaMask entity exists; all legal representations are made by Consensys Software Inc.