Tracing cryptography in Metamask dependencies

metamask-sign.md

Tracing cryptography in Metamask dependencies

Metamask uses noble for low-level cryptography operations, such as signature creation. The audit path as per Sep 2023, where every item is name of NPM package:

flowchart TD;
    MM[metamask-extension] -->|imports KeyringController| MMKC["@metamask/keyring-controller"];
    MMKC -->|imports HDKeyring| MMHD["@metamask/eth-hd-keyring"];
    MMKC -->|imports SimpleKeyring| MMSK["@metamask/eth-simple-keyring"];
    MMSK -->|imports ecsign| EJSUT["@ethereumjs/util"];
    MMHD -->|imports ecsign| EJSUT["@ethereumjs/util"];
    EJSUT -->|imports secp256k1| EC["ethereum-cryptography"];
    EC -->|re-exports| CURVES["@noble/curves"];

1. metamask-extension imports KeyringController from @metamask/eth-keyring-controller ¹
2. @metamask/eth-keyring-controller imports HDKeyring and SimpleKeyring from @metamask/eth-simple-keyring, @metamask/eth-hd-keyring ²
3. @metamask/eth-hd-keyring and @metamask/eth-simple-keyring both import ecsign from @ethereumjs/util ³⁴
4. @ethereumjs/util imports secp256k1 from ethereum-cryptography ⁵⁶⁷
5. ethereum-cryptography re-exports @noble/curves ⁸
6. noble-curves initializes secp256k1 curve instance, defined in abstract/weierstrass.ts ^9101112

Footnotes

1. https://github.com/MetaMask/metamask-extension/blob/79d9c18cb18004777e945fb032866001c8ab14f0/app/scripts/metamask-controller.js#L15 ↩

2. https://github.com/MetaMask/KeyringController/blob/12e3a2017a9f9b76e10497d93746deeefe3e190b/src/KeyringController.ts#L3-5 ↩

3. https://github.com/MetaMask/eth-hd-keyring/blob/4f5c463e4b970d6f55449f7c4784d80f0c76d98c/src/HDKeyring.ts#L8 ↩

4. https://github.com/MetaMask/eth-simple-keyring/blob/d4906204203479d46127df88e7797ab0af03c675/src/simple-keyring.ts#L5 ↩

5. https://github.com/ethereumjs/ethereumjs-monorepo/blob/f5dcf4a13234cbab5fc1bfdca8ec2ab4aeb2cb5a/packages/util/src/index.ts#L34 ↩

6. https://github.com/ethereumjs/ethereumjs-monorepo/blob/f5dcf4a13234cbab5fc1bfdca8ec2ab4aeb2cb5a/packages/util/src/signature.ts#L28 ↩

7. https://github.com/ethereumjs/ethereumjs-monorepo/blob/f5dcf4a13234cbab5fc1bfdca8ec2ab4aeb2cb5a/packages/util/src/signature.ts#L2 ↩

8. https://github.com/ethereum/js-ethereum-cryptography/blob/77cdf136daf47210f3a711c3b863f7899d0a170c/src/secp256k1.ts#L1 ↩

9. https://github.com/paulmillr/noble-curves/blob/0d7756dcebcad544189efdd46ff8f12527709298/src/secp256k1.ts#L47 ↩

10. https://github.com/paulmillr/noble-curves/blob/0d7756dcebcad544189efdd46ff8f12527709298/src/_shortw_utils.ts#L18 ↩

11. https://github.com/paulmillr/noble-curves/blob/0d7756dcebcad544189efdd46ff8f12527709298/src/_shortw_utils.ts#L4 ↩

12. https://github.com/paulmillr/noble-curves/blob/0d7756dcebcad544189efdd46ff8f12527709298/src/abstract/weierstrass.ts#L999 ↩