A few months ago my dev team found one of our testnet wallets in a public github project. Not just the address, but the full private key. We spent a day in full 🚨Red Alert🚨 mode, rotating accounts, auditing all of our transactions, and searching for any possible way that someone could have stolen our dev credentials. Finally, we found the answer: some grad student on github had generated the same key we had.
If the mathletes are to be trusted, the odds of two BIP39 wallets overlapping is like two people choosing the exact same grain of sand out of all the beaches and deserts in the world. It’s beyond unlikely. So what the hell happened?
It turns out that early in our development phase, we used an off-the-shelf ethereum library that included a public demo wallet. The mnemonic got imported to MetaMask for testing, and after we finished our prototype we tossed out the demo wallet and created new wallets for future dev work. Or so we thought.
At this point, everyone who knows their way around HDWallets is allowed to shake their head and tsk-tsk at our mistake.
MetaMask is built around HD Wallet tech (“hierarchical deterministic,” not “Hi-def”), which means all of the accounts that MetaMask generates are children of the original mnemonic phrase. More specifically, they are deterministic, which means they are also predictable.
So, after we finished our work with the demo wallet and hit “Create Account” in MetaMask, the new account wasn’t actually random; it was the second (or third or fourth) derived private key off of the original mnemonic demo wallet. Our grad student friend on github did the same thing, and generated the same private key.
We got extremely lucky that our dumb mistake was limited to a testnet where the stakes were low, but forgetting or misunderstanding how HD Wallets work can be a serious risk for crypto users. Consider the following hypothetical:
Your tech-savvy grandma is out yield farming her shitcoins one day when she gets a message that her wallet has been compromised. Being the salty old deFi wizard she is, Gramms pops open MetaMask and creates a brand new account and immediately transfers all of her Dogecoin and Bored Apes over to the new wallet. Safe and sound. Time for tea and biscuits!
Except Gramms isn’t safe and sound. If scammers got ahold of her mnemonic, all they need to do is generate the next wallet in the sequence and they have access to all of her funds again.
To safely cut the link, you need to fully log out of MetaMask (remember to back up your old account’s mnemonic and private keys) and create a new account with a fresh 12 word mnemonic phrase.
Finally, remember that a lot of different wallet plug-ins and apps are built on the same core technology as MetaMask and they work in the same way. When in doubt, remember that you haven’t created a “new wallet” until you’ve created a new mnemonic phrase.
