Unmasking Metamask - Is Web3 Really Decentralized And Private?


ConsenSys updated its privacy policy on November 23, 2022. It mentioned that it will collect users’ personal information such as IP and wallet address through MetaMask and Infura, which sparks fears about the security of personal privacy on Infura and MetaMask. Notably, it is not the first time Infura has faced privacy concerns. What are the risks of using Infura and MetaMask? What can you do with this? Please check the article.

What Is the Relationship Between Metamask, Infura, and ConsenSys?

MetaMask, the most widely used crypto EVM-compatible wallet nowadays, was created by ConsenSys in 2016 and was the first step into Web3 for many people. Infura is a centralized RPC (Remote Procedure Call) service provider, which was acquired by ConsenSys in 2019. MetaMask relies on Infura's RPC endpoints to access the blockchain networks. Thus, when users utilize MetaMask to interact with blockchains, their requests are actually processed by a centralized entity.

What is RPC?

In terms of Blockchain, RPC is a way for nodes to communicate with each other or with Virtual Machine. More specifically, each node can send instructions to other nodes or query data from them in the blockchain network through RPC API (like a gate for interaction).

For decentralized apps (DApps), to interact with blockchains (such as reading and writing data to the network or executing smart contracts), they need to first connect to a node and then communicate with the network. How can the DApps connect to the nodes? Again, through RPC API.

How Do Infura's Centralized Services Affect Users?

ConsenSys updated its privacy policy on November 23, 2022. It mentioned that users' IP addresses and wallet addresses will be collected when they are using Infura or Infura RPCs on MetaMask, which sparks fears about the security of personal privacy on Infura and MetaMask. The original excerpt is below.

Source: ConsenSys

As MetaMask relies on a single RPC provider, it will be exposed to centralized risks.

The single point of failure. The whole services of MetaMask will be affected by Infura outages.

The operation of a centralized institution is untransparent and can be easily manipulated.

The centralized institution can be under a regulatory checkpoint. They can easily fetch users' private data or block their accounts without any notification.

Unfortunately, Infura has witnessed all the issues above.

In Nov 2020, the service of Infura was interrupted since it did not update its Geth nodes. Many DApps built on Infura were affected, such as MetaMask, Maker, Uniswap, Compound, etc. CEXs, including Binance and Coinbase, even stopped the $ETH and ERC20 token withdrawals.

In March 2022, some MetaMask users in Venezuela reported on Twitter that they could not access their accounts correctly. Infura then claimed that some countries and regions (e.g. Iran, Cuba, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine) are blocked from Infura services due to US sanctions. However, a few countries, including Venezuela, were mistakenly blocked.

What Protocols Are Using Infura?

Here we list parts of the clients that rely on Infura, which contains the mainstream DeFi protocols, infrastructure providers, and browsers.

Notably, except for Infura, there are also other centralized RPC service providers such as Alchemy, Quicknode, Chainstack, and more.

What Are the Alternatives to Infura?

So how can we protect our privacy? There are two means. First, you could run a node by yourself, which is the safest way. Or you could use other decentralized RPC services (alternatives)

Run a Node

Create your own node so that no third party has access to your transaction information. For Ethereum, you could download an Ethereum Client to run the node. Check the tutorial below.

Tutorial: https://ethereum.org/en/developers/docs/nodes-and-clients/run-a-node/

Decentralized RPC Service

Unlike centralized RPC service providers, a decentralized RPC service provider is participated by multiple nodes rather than a single entity. Normally, the protocol is permissionless as every node can stake the protocol's assets to join the network. And the staked assets will become the endorsement of their services (if there is a violation or improper behavior, the asset will be deducted/slashed). Here we list some decentralized RPC service providers.

Ankr was initiated in 2017. It offers users Web3 infrastructure services including RPC, API/SDK, AppChains, Liquid Staking, etc. Once Ankr receives an RPC request then the protocol assigns the request to a random node. Then, the load balancer will assign the request to an optimal node ranked by Ankr's algorithm score. Currently, Ankr supports RPC services for 22+ networks, including Ethereum, Avalanche, BNB Chain, Solana, Arbitrum, Optimism, Polygon, Aptos, SUI, etc.

RPC List: https://www.ankr.com/rpc/

Pocket Network was also established in 2017 and currently provides RPC services for users and Dapps. The biggest difference between Pocket Network and Ankr is that when a user initiates an RPC request, the protocol will randomly select a group of nodes for the user. These nodes will provide service to the user for a limited timeframe. Currently, Pocket Network supports 23+ networks, including Ethereum, BNB Chain, Avalanche, Polygon, Solana, Optimism, Harmony, Near, Algorand, etc.

RPC List: https://docs.pokt.network/use/public-rpc/

HORP Protocol is a decentralized infrastructure service provider founded in 2019. It pointed out that decentralized RPC protocols such as Ankr and Pocket Network can prevent users from some centralized risks, but can not protect users' privacy. Therefore, the HOPR protocol introduces a metadata privacy product called RPCh based on the decentralized node network. Using RPCh, users can hide their personal information (such as IP address) while using RPC services think of it as a TOR network for Blockchain. The RPCh service is planned to be launched in 2023 Q1. The team has posted a guide for wallet integration, and the link is displayed below.

Guide: https://github.com/hoprnet/wallet-integration-guide

Here we compared the top centralized and decentralized RPC providers. As can be seen, all the providers support free access to RPC services, but decentralized service providers tend to perform better in risk diversification and also support more chains.

Top Blockchain RPC Providers

Closing Thought

However, there is no perfect solution for users with easy, efficient, and privacy-guaranteed ways to access on-chain services. So there must be a trade-off. Even decentralized RPC providers can not fully promise the privacy of users. Not to mention that Infura also announced its decentralized plan in September, but this does not conflict with its privacy policy. Therefore, we still recommend you guys to customize your own RPC endpoints and take more privacy tools for a better Web3 experience.





Ice Bear is Ice Bear.

In This Article

Use TokenInsight App All Crypto Insights Are In Your Hands