Source: LXDAO

This article was jointly written by LXDAO members Li Damao and Bruce. We will delve into the technical aspects of MetaMask Snap. What is MetaMask Snap? What capabilities does it have? How is security ensured? What is the development experience like? These questions may determine the future potential of MetaMask Snap.

What is MetaMask Snap?

A few days ago, ConsenSys announced the public launch of MetaMask Snaps Open Beta. MetaMask Snaps can expand the capabilities of the wallet by installing apps (Snaps) created by third-party developers to gain new functionality.

If ConsenSys has turned MetaMask into WeChat, then Snap is like WeChat Mini Programs. Therefore, it can be seen that MetaMask has ambitious plans. With the combination of ConsenSys' scale and MetaMask's user base, the landscape of the wallet field will change as a result.

Currently, the official has released 35 available Snaps and launched the Snap application store at https://snaps.metamask.io/.

Partial Snap Overview

So, from a technical perspective, what exactly is MetaMask Snap? What capabilities do they have? Are they secure? What is the development experience like? These may all determine the future potential of MetaMask Snap.

Since last year, LXDAO has been deeply researching the implementation of Snaps. Several members have already participated in Snap development and actively participated in related hackathons. Today, we will delve into the above questions from a technical perspective and actually develop a Snap to let you experience the developer's experience of Snap.

First Experience with MetaMask Snap

Installing MetaMask Snap

You can usually install MetaMask Snap through the official market, or directly on the project's official website. Taking UniPass as an example, when visiting the application page, a button will be provided for you to link MetaMask.

After clicking, the Snap will be installed:

Using MetaMask Snap

After installation, you can start using the corresponding products and features. In this application, UniPass creates a smart contract account for you, making it easy for you to control it through MetaMask's EOA account, and more.

When you make a transfer, UniPass will pop up a Snap to confirm whether you want to perform the operation on the UniPass AA wallet.

After confirming through MetaMask, you can execute the related operation. In this scenario, MetaMask, through Snap, has the ability to control the UniPass AA wallet, allowing UniPass to let users operate the wallet without developing a wallet plugin themselves, and can introduce users at a very low cost through MetaMask!

From this installation and usage process, what information can we gather?

• Snap has relatively fine-grained permission control, including permission to link wallets, network requests, and more. Overall, it adopts the principle of least privilege in its design, prioritizing security.

• From npm:@unipasswallet/unipass-snap, it can be seen that Snap is based on NPM for package and version management. We will detail its security later.

• Snap has a high degree of flexibility, allowing for self-development and decision-making on the content and logic to be displayed according to the project's needs. However, the UI is relatively simple and has some room for optimization.

• The Snap experience is very simple and reliable, indeed reaching the level of a beta version and production environment.

For a wallet product, security is always paramount. Next, let's analyze the security design of Snap.

Is Snap Secure?

Snap Code Runtime Analysis

As mentioned earlier, Snap is based on NPM for package and version management, indicating that Snap is actually a web and JavaScript-based application. As is well known, the syntax of JS is very flexible and free, which can easily lead to attacks such as XSS and phishing. How does MetaMask Snap address this challenge?

After some research, it is not difficult to find that MetaMask sponsors Agoric and deeply integrates Agoric team's Hardened JavaScript (also known as Secure EcmaScript) as its "fully virtualized" sandbox solution. Agoric has designed a JavaScript restriction API and submitted a draft proposal to TC-39 (JS standardization association), the address is: https://github.com/tc39/proposal-ses.

In simple terms, Hardened JavaScript is a more secure subset of standard JavaScript. Leveraging some of the capabilities and mechanisms of JS, it reduces the calling permissions and methods of some JS APIs, thereby reducing some risks. It creates a secure sandbox for the corresponding code to execute, while following the principle of least privilege to plan the code's permission control.

Agoric collaborated with MetaMask to develop LavaMoat (https://github.com/LavaMoat/lavamoat) to enhance the security of Snap. LavaMoat is a tool that focuses on addressing security risks of external dependencies in JS projects and adding restrictions on certain APIs and logic.

Agoric and MetaMask have jointly conducted black-box and white-box security testing and produced detailed security reports. Therefore, at the runtime level, we have ample reason to believe that Snap is secure.

Snap Code Must Be Open Source and Audited

In addition to having a clear user authorization process and a design based on the principle of least privilege, officially recognized Snaps must open-source their code, greatly reducing the possibility of malicious code through the power of the community.

Furthermore, we have found that the Snaps on the official website have undergone code audits by third-party security companies before being released. This significantly increases the security and trustworthiness of Snaps, with audit firms including the well-known SlowMist.

Security Risks Found in Snaps

Since Snaps are currently based on NPM package and version management, there is a possibility of changes at the code level, and the audits are not mandatory, which may pose certain security risks.

Because MetaMask cannot control the version releases on the NPM platform, project teams can release new versions for users to install at any time. Due to the cost of audits, audit firms may not audit every version, leading to a situation where the latest version changes may not be open-source or audited.

However, due to the sandbox environment and the use of the principle of least privilege, unless users manually confirm new permission changes, the new version of Snap will only have the permissions of the previous version to execute operations. But if a Snap requests excessive permissions, there is still a risk, so vigilance is still required when installing and using Snaps.

Technical Capabilities and Limitations of MetaMask Snap

Although MetaMask Snap was officially announced recently, Snap has actually been in development for 4 years! The earliest concept of MetaMask Snap was announced by Dan Finlay on October 10, 2019, on Medium.

Balancing security, flexibility, and effectiveness is a very big challenge, and it can be seen that MetaMask has invested a lot of effort and preparation for this day.

Currently, three main APIs have been opened:

• Interoperability, allowing developers to develop other chain wallets based on MetaMask

• Transaction Insights, allowing developers to obtain transaction data before a user initiates a transaction to analyze potential risks

• Notifications, allowing Snap to directly push messages to users (although this seems to require website support and is somewhat limited)

Below is a brief introduction to the specific capabilities and effects opened by MetaMask Snap, to give you a more vivid perception.

Notification Capability

The Snap_notify interface can display notifications in MetaMask or the browser. Snap can use this interface to directly send messages to users, as shown in the following image:

Transaction Insights Capability

When a user interacts with a smart contract, MetaMask triggers the onTransaction event in Snap, passing the unsigned raw transaction to the onTransaction handler method. Snap can return a custom interface on the transaction confirmation page and customize the display content.

Through this capability, secure transaction auditing and extended information display can be achieved.

Dialog Interface and Custom Interface Capability

The Dialog capability will allow Snap to directly pop up an independent window, achieving similar capabilities to traditional Alert/Confirm/Prompt pop-ups (as shown in the image), used for reminders, confirmations, and information submissions.

Through Dialog, you will be able to customize simple interactive interfaces and operations to integrate with your DApp.

What Functionalities Can't MetaMask Snap Currently Achieve?

Due to security limitations, Snap currently does not support third-party front-end frameworks and only provides a limited number of UIKit components. The example is still using insight to display all the UI component libraries that developers can call.

As shown in the image, currently only Heading (large text), Text (small text), Panel (card and can only be used once), Divider (separator), Copyable (click to copy), and a small subset of Markdown (bold and italic) are available. Therefore, it seems that building interactive functionality is currently not possible, and using embedded HTML for interactive operations is also not possible. However, after asking in the official Discord, the official stated that these limitations are all due to security considerations and will be relaxed in future versions.

Additionally, also due to security considerations, only the Fetch method is supported for external requests, and more request protocols such as WebSocket are not supported. Due to security, capability, and privacy limitations, client information, such as the current URL that triggered the Snap, cannot be obtained, preventing more diverse functionality from being implemented.

These questions and limitations are mostly due to security considerations, and it is believed that more permissions will be considered for opening up in the future after security validation.

MetaMask, which provides these APIs, has actually become a product similar to an open platform. This feels like when WeChat introduced public accounts and mini-programs, instantly making it feel like more than just a simple messaging tool.

Back in 2019, MetaMask anticipated the current market landscape, with a large number of public chains, projects, and various customized wallet needs. Instead of each project needing to develop its own plugins and users needing to install multiple plugins, it is better to develop based on MetaMask Snap. In the first batch of released Snaps, we also found wallets from other non-EVM ecosystems such as Sui Wallet, Solana Wallet, and Arweave Wallet. With the existing user base, MetaMask Snap will undoubtedly have a significant impact on the wallet landscape.

In fact, the potential of MetaMask Snap may be even greater than we expected, possibly extending beyond the scope of wallets. We can also see the work from the EthSign team, which has developed a universal password manager called KeyChain based on MetaMask Snaps. All passwords in the browser can be encrypted and stored with wallet keys. This way, managing the wallet also includes all passwords.

Snap is highly relevant to developers. With the open API provided, what is the specific developer experience like? Why not try developing a Snap hands-on?

Directly Develop a Snap for Testing

Organizing Thoughts

As we all know, in most cases, most users do not actually know what smart contract they are interacting with, mainly including the following questions:

• Is the contract for the transaction a phishing site replacement contract?

• Is the contract for the transaction an upgradable contract?

• Is the smart contract a newly deployed contract with few verifications?

• Is the contract for the transaction open-source?

For the average user, it is practically impossible to expect them to read the solidity code of the contract before interacting. This is where the Transaction Insight feature is very suitable for implementing some smart contract analysis, such as using AI to conduct a relatively simple security audit of smart contracts, perhaps filtering out 80% of low-level phishing attacks.

Setting Up the Development Environment

Download the Wallet

First, install MetaMask Flask.

MetaMask Flask is a developer-centric distribution of MetaMask extensions, mainly used for new feature previews and experimental feature development. Please note that this is a developer version of MetaMask, so do not use it for daily use or import your daily use private keys. Using Flask here is mainly for the convenience of instant local preview of the Snap we are developing.

It is recommended to temporarily turn off the MetaMask wallet and other browser wallets after installation, or create a new Chrome Profile to use, to avoid conflicts.

Create an Account

After installing the wallet, create a new wallet just like creating a regular MetaMask wallet. Please note that this is a wallet specifically for testing, so do not import your daily wallet.

Next, we need to deposit some test coins into the newly created wallet. Test coins can be obtained from a faucet. In this case, the Snap uses Goerli, so the following steps mainly focus on Goerli.

Initialize the Snap Based on the Template

According to the official documentation, first use the @metamask/create-snap CLI to create a new Snap project, and initialize it using the official template:

Snap File Structure

The main files of the Snap are located in ./packages/snap, and the directory structure is as follows:

The configuration file for the Snap is placed in snap.mainfest.json, and the main file for the Snap is ./src/index.ts, which appears to be very concise.

Enabling Permissions

First, we need to enable permissions. We can add the following three lines to snap.mainfest.json:

The Mainfest file can also be modified to change the description and proposedName to modify the project's description and name.

Getting Transactions

Next, in this example, all the required functionality can be completed by modifying the index.ts file. A simple code example is as follows, and for the complete runnable code, please refer to: https://github.com/LidamaoHub/insights.

After installation, you will see similar risk prompt information for each of your transactions:

Currently, the development experience of Snap is very smooth, with almost no encountered issues, and the official templates are also very diverse. Experienced developers can usually get started and begin developing their required Snaps within a few hours. However, the biggest hurdle to formal release and widespread user adoption will be security audits. Not all independent developers and small teams have the resources to conduct audits for their Snaps. Therefore, it can be expected that the quantity and richness of Snaps will not experience a significant explosive growth for a long time in the future.

Developer Support

If you are able to run the above example, congratulations, you have become a qualified entry-level Snap developer!

MetaMask also established a MetaMask Grants DAO last year to fund high-value projects within the MetaMask ecosystem through a grant program. The MetaMask Grants DAO is an employee-led experimental program that distributes grants to external developers globally to build impactful experiences within the MetaMask ecosystem. MetaMask allocates a portion of its profits to this DAO every quarter, and the current annual budget for MetaMask Grants DAO is $2.4 million.

Currently, any project that can enrich the MetaMask ecosystem can apply for official MetaMask Grants DAO (MetaMask Grant). For more information, please visit https://metamaskgrants.org/.

It is worth mentioning that LXDAO was fortunate to apply for and participate in the development of related projects through MetaMask Grants this year, and has established a communication channel. If you are a member of LXDAO and have related ideas, you can contact them more efficiently to submit an application.

Conclusion

In the above, we have analyzed Snap from a technical perspective, including what it is, its security, capability limitations, and developer experience. A simple summary is as follows:

• Snap is similar to WeChat mini-programs, opening up greater potential for MetaMask

• Overall, the security is good, but there are still certain risks, and vigilance should be maintained for high-risk permissions

• Due to security considerations, there are currently not many open capabilities, but there is still enough room for imagination for Snaps

• After four years of refinement and testing, the developer experience is excellent. However, due to security considerations, a whitelist mechanism and audit requirements have been designed. It can be expected that there will not be a large number of Snaps emerging in the near future

Currently, MetaMask Snap is still rapidly iterating, and it is believed that more permissions and capabilities will be opened up in the future. Hopefully, more open and secure mechanisms will be introduced, such as Apple's official Audit review mechanism and official code repository version control, in order to allow more developers to participate at a low cost. If this issue is improved, it can be expected that there will be a significant demand in the future, and there may even be dedicated Snap developer positions.

With the massive number of MetaMask users, independent developers may also have certain opportunities. Let's wait and see for the next breakthrough innovation brought by Snap.

Finally, thank you for your article. I believe it will help more people understand the current development status of MetaMask Snap.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。