Privacy is an important aspect of the blockchain. We want to keep our Ethereum addresses private, but we want to connect to different decentralised applications to interact with them. At the same time, we don’t want to give our private keys to anyone or any website. For this reason, there are different methods to securely connect to your accounts without compromising privacy or security, like the Ethereum Provider API described by EIP-1193, or WalletConnect. In this article, we'll go over how some of these methods work and how MyCrypto is able to connect to your accounts securely.
A Local Bridge via the Ethereum Provider API
API stands for Application Programming Interface and can be used for connecting different applications or software together through a standardised fashion. APIs let you use your computer, browse the internet, and access your Ethereum account.
Nowadays this is the most commonly used method for connecting to your account from decentralised applications, and is used by wallets like MetaMask. MetaMask will properly expose the Ethereum provider API through a global browser variable
window.ethereum. This is accessible by every website's (front-end) code.
Dapps and MyCrypto can use this API to talk to your MetaMask account by sending standardised JSON-RPC requests, as described by EIP-1193. JSON-RPC is a generic format commonly used in Ethereum for communication between certain APIs, Ethereum nodes (Geth, OpenEthereum), and, in this case, wallets like MetaMask.
Websites do not immediately have access to all your accounts when you’re using MetaMask, however. When you connect to MetaMask on MyCrypto, MyCrypto sends a
wallet_requestPermissions request to MetaMask, as per EIP-2255: Wallet Permissions System.
The request, sent through
window.ethereum.request(), looks something like this:
The first time you connect to MyCrypto, MetaMask will initiate and pop-up, asking you if you want to connect to MyCrypto. If you confirm, MyCrypto can now call
eth_accounts to get a list of the account(s) you want to use on MyCrypto. The private key of the account remains in MetaMask and is never exposed to MyCrypto (or other applications).
Always be sure that the MetaMask popup is legitimate when visiting a dapp like MyCrypto, OpenSea, and others. A common scam tactic is to mimic a site and display a fake MetaMask pop-up, which then asks you for your Secret Recovery Phrase.
In order to sign a transaction, you need a private key. As mentioned before, the private key is not exposed when using something like MetaMask, so how are you able to send transactions from MyCrypto?
MetaMask works similarly to a Ledger or Trezor hardware wallet. Rather than exposing the private key, MyCrypto sends the transaction to MetaMask, and MetaMask will prompt you to confirm the transaction. If you confirm, MetaMask sends back the signed transaction, or broadcasts the transaction itself and sends back the transaction hash. Altering the signed transaction makes the (cryptographic) signature invalid, so MetaMask can safely send this back.
Alternative Methods for Secure Connections
Remote Signing through QR Codes
Using QR codes, it's possible to easily sign transactions or messages without a direct connection between two devices simply by using the camera of your devices. An example of an app that works like this is Parity Signer, which uses the EIP-681 standard for generating QR codes.
When you initially want to connect to your Parity Signer, the app shows a QR code with something like
ethereum:<your address> as data. If you scan this QR code on your desktop computer (via a webcam), it tells the desktop application which address you want to use and can fetch the balance for this address.
Once you want to actually sign a transaction, you need to scan a QR code using the Parity Signer application - once again following the EIP-681 standard. The QR code includes where you want to send the transaction to, the amount of Ether you want to send, etc.
WalletConnect is a popular method for connecting from a website to a mobile application like MetaMask Mobile. While WalletConnect works with QR codes as well, they are only used to set up an initial connection between the two devices. Further communication requires a working internet connection and runs through a centralised server.
Using a centralised server, however, does not mean that WalletConnect is insecure. In fact, all communication is end-to-end encrypted, meaning that only the sender and the receiver can read the messages — the server does not have the private key to decrypt the messages.
MyCrypto values your privacy and security over everything else. For that reason, we only use the secure, trusted methods for communicating with your favourite wallets described above. Your private key is never exposed to MyCrypto directly, keeping it safe from possible malware or phishing attacks.