Hot Wallets, Browser Extensions, and dApp Interaction

MetaMask

MetaMask is a browser extension and mobile app that serves as the primary gateway to Ethereum-compatible dApps. About 30 million people use it monthly. It works by injecting a JavaScript object (window.ethereum) into every web page you visit, which dApps use to request signatures and send transactions.

The security architecture has a known weakness: at certain points during operation, private keys are held unencrypted in browser memory. A 2025 security analysis confirmed that MetaMask's handling of keys in memory creates a window where a malicious browser extension or memory dump could theoretically extract them. This is inherent to how browser-based wallets work, not unique to MetaMask.

January 2026 saw signature phishing attacks (also called permit phishing) increase 207% compared to the same period the prior year. These attacks don't steal your seed phrase - they trick you into signing an off-chain authorization (an EIP-2612 permit) that gives the attacker permission to move your tokens. The signature happens in MetaMask's popup. The transaction cost is zero gas for you. The result is the same as handing over your tokens.

Phantom

Phantom started as a Solana-only wallet and expanded to Ethereum, Polygon, and Bitcoin in 2023-2024. It's the dominant browser wallet for Solana DeFi and NFTs.

A 2025 security disclosure revealed that Phantom, like MetaMask, has periods where private keys exist unencrypted in memory. This is a structural issue with browser-based key management, not a Phantom-specific vulnerability. Phantom has built-in malicious transaction detection that flags some known attack patterns before you sign, which is a meaningful defensive layer.

Phantom's primary risk surface is Solana's DeFi ecosystem, which moves faster and has less mature audit practices than Ethereum. If you're actively using Solana DeFi protocols, Phantom is the most practical wallet, but the same principles apply: small balances, dedicated browser profile, read before signing.

Rabby

Rabby is a browser extension wallet developed by DeBank. It has grown significantly in 2025-2026 among security-conscious DeFi users because of one specific feature: pre-transaction simulation.

Before you confirm any transaction, Rabby simulates what it will actually do. It shows you exactly which tokens leave your wallet, which arrive, and what the net change will be. For a simple token swap, this confirms you're getting what the dApp showed you. For a malicious approval or a drainer contract disguised as a mint, the simulation shows the truth before any funds move.

Rabby also receives regular third-party security audits and displays approval history, showing you what contracts currently have spending permissions on your tokens. If you're going to use a browser wallet for active DeFi, Rabby is the more security-oriented choice over MetaMask for most use cases.

Trust Wallet

Trust Wallet has over 200 million downloads and supports 100+ blockchains and 10 million+ tokens. It's primarily a mobile wallet, acquired by Binance in 2018 and later open-sourced.

In late 2024, a vulnerability in the Trust Wallet browser extension (not the mobile app) allowed attackers to extract private keys from affected installations. Estimated losses were approximately $6 million. Trust Wallet patched the extension and issued guidance, but the incident reinforced the risk profile of browser extensions relative to mobile or hardware alternatives.

Trust Wallet's mobile application is a reasonable choice for on-the-go management of smaller balances across many chains. The browser extension carries the same warning as all browser extension wallets: isolated browser profile, minimal balance, and verify every transaction.

Coinbase Wallet

There are two Coinbase products with different security models, and confusing them is a mistake many people make. Coinbase Exchange (custodial) holds your keys. Coinbase Wallet (self-custody) does not. This module concerns Coinbase Wallet.

Coinbase Wallet is a self-custody wallet available as a mobile app and browser extension. Your private key is generated on your device and encrypted with your chosen password. Coinbase cannot access it.

The 2024-2025 Coinbase security incident affected the exchange (custodial) product, not Coinbase Wallet. Criminals bribed external vendor support agents contracted to handle customer service. The stolen data was customer identifying information - names, addresses, phone numbers, partial government ID - not private keys. But this personal data was sufficient to run targeted social engineering attacks against high-value targets.

In July 2025, Coinbase announced a $5 million on-chain bug bounty and terminated the staff involved. The incident is instructive: the attack vector was human (bribery and social engineering), not technical. Institutional-grade infrastructure doesn't help if the operational security layer - the people - can be compromised.

How dApp Connections Work

The Injected Provider

When MetaMask (or any browser extension wallet) is installed, it injects a JavaScript object called window.ethereum into every web page you visit. When a dApp wants to interact with your wallet, it calls methods on this object: eth_requestAccounts to get your address, eth_sendTransaction to request a signature, eth_sign for message signing.

This is why a compromised browser extension that sits above MetaMask in the injection order can intercept these calls. An extension that overrides window.ethereum sees every dApp interaction before MetaMask does.

WalletConnect

WalletConnect is a protocol for connecting mobile wallets to desktop dApps without a browser extension. You scan a QR code with your mobile wallet; this establishes an encrypted session between your wallet and the dApp via WalletConnect's relay servers. The dApp sends transaction requests through the relay; your wallet displays them for your approval.

The risk in WalletConnect is the QR code itself. If an attacker substitutes a malicious WalletConnect QR code for a legitimate one (common in phishing sites that clone legitimate dApp interfaces), the session connects to the attacker's backend instead of the real dApp. You're then shown whatever transaction the attacker wants you to sign.

Token Approvals

Token approvals are one of the highest-risk areas in DeFi. When you interact with a DEX, lending protocol, or NFT marketplace, it typically asks you to approve a token allowance before the main transaction. This approval is a separate on-chain transaction that grants a smart contract address permission to move a specified amount of a token from your wallet.

The default for most protocols is unlimited approval. This is convenient because you only have to approve once rather than before every transaction. But it means that contract permanently has permission to drain your entire token balance, even years later. Every protocol exploit that has involved "draining user funds" in 2024-2025 relied on pre-existing unlimited approvals.

The defensive response is simple: visit revoke.cash monthly, connect your wallet, and revoke any approvals you don't actively need. The service is free and supports 100+ networks. When granting a new approval, set a specific token amount rather than unlimited whenever the protocol allows it. Module 5 covers the full approval management workflow.

Centralized Exchange Risks

The three largest crypto exchange hacks in recent memory illustrate different failure modes, none of which involved breaking the blockchain:

The pattern is consistent: exchange hacks attack the institution's key management, not the blockchain. For users, the implication is direct: only keep amounts on exchanges that you're comfortable losing completely. Anything you're holding long-term belongs in self-custody. The exchange is a trading venue, not a bank vault.