Even though only very few users have experienced the passphrase bug, MetaMask is not taking the issue lying down.
In light of the reports that some users are experiencing an account recovery bug with MetaMask passphrases, ConsenSys developer Dan Finlay made a statement in order to assuage users’ fears and provide guidance.
Finlay writes, “MetaMask has received approximately 17 users reporting problems related to accounts and seed phrases.” Those users were apparently unable to access their own accounts and were given recovery seed phrases. The passphrases, however, allowed entry to different accounts than they had been associated with prior to the bug. Although the number of affected users is estimated to be “about 1% of 1%,” MetaMask is taking the issue seriously. Still, after an internal review, the cause of the bug remains a mystery. In light of this, MetaMask has issued a pair of bug bounties on GitCoin and Bounties.network “for anyone who can identify a related issue.”
MetaMask strongly urges users who believe they may have been given incorrect passphrases to re-verify their seed phrases. Some cases may be related to user error, but MetaMask is not taking any chances.
Another issue that users may be experiencing has to do with a storage glitch on the device containing account-specific MetaMask data, in which case it will be necessary for that user to restore their account with the seed phrase; if the seed phrase has been improperly written down, then the accounts will be lost. Because of this, even if MetaMask users have already backed up their seed phrases, it is advised that all users take time to repeat the process.
If the bug is genuine, it likely exists in the MetaMask Controller or in the main Keyring Controller, meaning that accounts would not have been compromised by a hacker. Bounty hunters who would like to help the community and identify the bug must be able to reproduce the specific situation in which a user would be given a seed phrase that is inconsistent with the one initially associated with their account.
The MetaMask team plans to host an AMA on the r/Ethereum subreddit to address any residual community concerns this Wednesday, November 15, 2017.