Audit of MetaMask Plugin System + LavaMoat

ConsenSys AG has requested that Least Authority perform a security audit of MetaMask, a browser extension that enables interaction with applications built on Ethereum. MetaMask allows users to browse the web and interact with Ethereum applications, sign messages and transactions, and securely manage and store their private keys and assets. 

The following components were in scope for our review:

  1. Plugin System
    • SES-based plugin system
  2. LavaMoat
    • Browserify plugin system allowing the isolation of dependencies in Secure EcmaScript (SES) containers with the aim of removing the dangers of supply chain attacks (malicious code in the app dependency graph), ambient authority, and embodying the principle of least authority.


Our final audit report was completed on March 4, 2020. 


Share this audit report

Contact Us

Browse our FAQs to learn more about our security consulting services or get in touch to discuss the security of your project.

Schedule a Call

Or email us at