Metamask uses noble for low-level cryptography operations, such as signature creation. The audit path as per Sep 2023, where every item is name of NPM package:
flowchart TD;
MM[metamask-extension] -->|imports KeyringController| MMKC["@metamask/keyring-controller"];
MMKC -->|imports HDKeyring| MMHD["@metamask/eth-hd-keyring"];
MMKC -->|imports SimpleKeyring| MMSK["@metamask/eth-simple-keyring"];
MMSK -->|imports ecsign| EJSUT["@ethereumjs/util"];
MMHD -->|imports ecsign| EJSUT["@ethereumjs/util"];
EJSUT -->|imports secp256k1| EC["ethereum-cryptography"];
EC -->|re-exports| CURVES["@noble/curves"];
- metamask-extension imports KeyringController from @metamask/eth-keyring-controller 1
- @metamask/eth-keyring-controller imports HDKeyring and SimpleKeyring from @metamask/eth-simple-keyring, @metamask/eth-hd-keyring 2
- @metamask/eth-hd-keyring and @metamask/eth-simple-keyring both import ecsign from @ethereumjs/util 34
- @ethereumjs/util imports secp256k1 from ethereum-cryptography 567
- ethereum-cryptography re-exports @noble/curves 8
- noble-curves initializes secp256k1 curve instance, defined in abstract/weierstrass.ts 9101112
Footnotes
-
https://github.com/MetaMask/metamask-extension/blob/79d9c18cb18004777e945fb032866001c8ab14f0/app/scripts/metamask-controller.js#L15 ↩
-
https://github.com/MetaMask/KeyringController/blob/12e3a2017a9f9b76e10497d93746deeefe3e190b/src/KeyringController.ts#L3-5 ↩
-
https://github.com/MetaMask/eth-hd-keyring/blob/4f5c463e4b970d6f55449f7c4784d80f0c76d98c/src/HDKeyring.ts#L8 ↩
-
https://github.com/MetaMask/eth-simple-keyring/blob/d4906204203479d46127df88e7797ab0af03c675/src/simple-keyring.ts#L5 ↩
-
https://github.com/ethereumjs/ethereumjs-monorepo/blob/f5dcf4a13234cbab5fc1bfdca8ec2ab4aeb2cb5a/packages/util/src/index.ts#L34 ↩
-
https://github.com/ethereumjs/ethereumjs-monorepo/blob/f5dcf4a13234cbab5fc1bfdca8ec2ab4aeb2cb5a/packages/util/src/signature.ts#L28 ↩
-
https://github.com/ethereumjs/ethereumjs-monorepo/blob/f5dcf4a13234cbab5fc1bfdca8ec2ab4aeb2cb5a/packages/util/src/signature.ts#L2 ↩
-
https://github.com/ethereum/js-ethereum-cryptography/blob/77cdf136daf47210f3a711c3b863f7899d0a170c/src/secp256k1.ts#L1 ↩
-
https://github.com/paulmillr/noble-curves/blob/0d7756dcebcad544189efdd46ff8f12527709298/src/secp256k1.ts#L47 ↩
-
https://github.com/paulmillr/noble-curves/blob/0d7756dcebcad544189efdd46ff8f12527709298/src/_shortw_utils.ts#L18 ↩
-
https://github.com/paulmillr/noble-curves/blob/0d7756dcebcad544189efdd46ff8f12527709298/src/_shortw_utils.ts#L4 ↩
-
https://github.com/paulmillr/noble-curves/blob/0d7756dcebcad544189efdd46ff8f12527709298/src/abstract/weierstrass.ts#L999 ↩