MetaMask is a HOT wallet which means that your password is encrypted but it is ON YOUR computer. Keep this in mind.
Also, if your MetaMask password gets compromised, it will give access to ALL your accounts you created on MetaMask.
Therefore, never copy and paste your password into the MetaMask wallet, but, type it in manually. This rule also applies when importing an existing wallet using your seed words, always type them, never copy + paste them.
Check the connected sites to your MetaMask wallet. Go to Connected Sites and click ‘disconnect’. Active connections allow the connected site to read your balances and look at your past transactions.
Turn off unlimited spends. By linking up with some websites while signing contracts, you may have given a contract access to unlimited spends.
This allows the connected contract to do whatever they want with your coins.
To check, go to https://revoke.cash/
Fill out your public account address from MetaMask and uncheck the filters ‘Filter out unregistered Tokens’ and ‘Filter out zero balances’. Then let the query run.
Make sure you know and trust the contract, like Uniswap, but revoke the unlimited spends on strange looking contracts. But remember, if you need to revoke a lot of connected contracts, it may become costly. In that case you may find it more efficient to just create a whole new wallet and send the funds there.
So in the query above, I have Unlimited allowance given to MetaMask for DEGEN and DERC, which I consider legit.
But if I would have something like in below screenshot, I would be more careful (contract addresses) and revoke unlimited spends for those contract addresses (but I would not revoke for Uniswap)
Make sure you are using the right MetaMask website https://MetaMask.io to prevent the ‘Rotten seed phrase’ attack, which is basically fake and malicious websites that attempt to trick users into installing the wallet using a compromised seed phrase that the attacker has access to. More about this attack here
Apply these safety rules as can be found on the MetaMask community website
Copy and past these rules and place them within your computer or mobile device, and/or write these down and place them next to you.
Rule #1: Never share your 12 words Secret Recovery Phrase (seed phrase) or private keys
Rule #2: Beware Impersonators! Make sure to see their trust level 4.
Rule #3: Never DM (direct message) with someone offering to help.
Rule #4: Never enter your secret seed phrase or private keys into any website online.
Rule #5: Never trust someone asking you to “authenticate your wallet”
Rule #6: Never import to your wallet a private key or a seed phrase someone gave you
Rule #7: MetaMask Support will never DM to help you.
Rule #8: DO NOT join discord servers, WhatsApps groups, WeChat groups, Telegram channels or Twitter DMs. These are all scams. MetaMask does not support these.
Rule #9: Report scammers. You can help the community safe.
Rule #10: Beware fake websites → Official Website: https://metamask.io/
Rule #11: Official Help → Support.MetaMask.io
Recommended Metamask Security Settings
The following are the recommended settings for using the Metamask browser extension and mobile app securely. Hopefully you will have many of these turned on by default, but it is worth checking and making any changes.
Metamask wallet browser extension:
Settings → Advanced → set Auto-Lock Timer to < 5 minutes
Settings → Advanced → turn off any experimental features
Settings → Advanced → set Auto-Lock Timer to < 5 minutes
Settings → Security & Privacy → turn on Use Phishing Detection
Settings → Alerts → turn on all
Mobile app:
Mobile app → Settings → Security & Privacy → set Auto-Lock Timer to < 30 sec
Mobile app → Settings → Security & Privacy →clear privacy data, cookies, and browser history at regular intervals
Mobile app → Settings → Security & Privacy → turn on Privacy mode
Mobile app → Settings → Security & Privacy →Mobile app → change password specific to mobile
Lock your wallet every time you are not using your wallet. (you unlock it by filling out your password). Below is the login screen when your wallet is locked.
Use a different browser to browse the web and trading. If you forget to lock your wallet while browsing, all the other sites get access to your wallet address and all transactions, you did previously (using Etherscan for example)
Avoid clicking on pop-ups claiming your last transaction failed when you have your wallet only on another browser.
Do not fill out your password on sudden pop-ups (with similar looking login screens for your Metamask wallet) asking you to fill out your password.
When you use, for example, PancakeSwap to make a swap in your trading browser, make sure only PancakeSwap is open, no other tabs on your browser should be open. Since maybe one of these websites then ask you for a confirmation of your Swap, only it will swap your coins to another malicious wallet. So close all the other tabs in your trading browser.
For example, use the Brave browser to trade, and Firefox or Chrome for non trading browsing. Brave automatically locks you out when you are not using your Metamask wallet.
