Weak seed phrase generation at Metamask

I found in the latest MetaMask audit from Cure53 in March 2023

And the documentation says on slide 5 that MetaMask uses 32 bit entropy.

Do I understand correctly that by creating a wallet in MetaMask seed phrase is created with 32bit entropy?

I have shared links to the sources of my posts, but the forum won’t let me do it :frowning:


Hey @pick0ut, this article on our Knowledge Base may provide more helpful info:


I’ve read about it, it doesn’t answer the question I asked.

Bip39 uses 128 bit entropy, but why does the Cure53 report say 32 bit entropy?

It looks like all wallets created in MetaMask extension have 32 bit entropy instead of 128 bit entropy

1 Like

If you are referring to “The number of child keys that can be derived from any extended key constitutes 2³² maximum, so each child key has an associated index.”

2³² = 32 bit entropy. But this is for child keys.
I think the correct answer is that this is an implementation of BIP32: BIP 0032 - Bitcoin Wiki

1 Like

No, I’m interested in creating a seed phrase exactly, you use BIP39 to create it. But, on the link above you sent an article and if you go to the site and read about getRandomValues() method, it uses only 32 bits of system time and you use 32 bits to create a wallet?

1 Like

This is this screenshot from the audit I’m talking about, it says 32bit entropy.

Maybe I misunderstood something


This is for generating child keys from an HD wallet. This does not mean we use 32 bits to create a wallet. The audit is for GitHub - MetaMask/key-tree which is a library used in MetaMask for deriving child keys. This is not how the seed phrase is created

1 Like

Could you suggest then how the seed phrase itself is created in MetaMask?

1 Like

Hopefully this response from @snwlprd.eth may help you:


I have read this, I have an understanding of how to create a normal wallet on BIP39, I am interested in how to create a wallet in MetaMask.

Just from the information you gave above, you are using PRNG.
Although there is some documentation that the entropy is not enough when generating and instead of 128 bits it has only 32.

Is there any way I can share a link to the documentation?
https:// milksad. info

Who’s documentation? You can break the link by adding spaces, i.e. www. gooogle . com

Here’s the source https:// milksad. info
It states that the Mersenne Twister PRNG method is unreliable.
Your documentation also says you use PRNG to generate the initial phrase, I would like to know what type is used for this.

Your forum blocked me from replying for 24 hours, that’s why the wait was so long :frowning:

1 Like

Hey, maybe you missed my answer :no_mouth:

Hey sorry! Asking the team now.

Sorry that this happened, it’s to prevent spammers, it just so happened that you sent a lot of posts the first day your account was created

MetaMask utilizes the browser’s PRNG, which in turn leverages the Web Crypto API. You can find more information about the Web Crypto API here.

The entropy of this PRNG is 16 bytes, equivalent to 128 bits. This means that the number of possible keys is 2^128.

To help you visualize this vast number, consider this analogy: If our Earth were a grain of sand within a much larger Earth, there would be approximately 2^80 such Earths. Now, how many grains of sand would there be in total? The answer is 2^160.

In other words, the probability of randomly generating a specific number using our PRNG is akin to finding a specific grain of sand on half of a super Earth. This super Earth is filled with super grains of sand, each of which contains a full Earth’s worth of regular grains of sand.


This topic was automatically closed after 30 days. New replies are no longer allowed.