As institutions explore the world of permissionless finance and Web3 innovations, establishing a reliable operational infrastructure are its top priorities. A critical decision that users have to make is determining the best mode of asset custody—whether to choose a licensed full-custody service, self-custody via MPC providers or multisig smart contracts, or a multi-custody approach to diversify risk and optimize returns.

However, safeguarding your assets is just the first step. The next challenge is ensuring secure and reliable connections to Web3, especially when managing millions in on-chain transactions. With so many Web3 wallets (connectors) available, choosing the right one can be daunting.

In this blog, we outline the key factors to consider when evaluating the security of a Web3 wallet, providing a framework that will help institutional investors confidently navigate their journey into DeFi and Web3.

Key Considerations:

1. Security Culture, Audits, and Penetration Testing

• Engineering Team Expertise: Assess the experience and expertise of the engineering team. What is their track record, and how deeply do they understand Web3 security?
• Engineering Resources: How many dedicated resources are allocated to the wallet? A well-supported engineering team is crucial for ongoing security and performance.
• Code Origin: Was the wallet built from the ground up or is it a fork of another open-source project? Building from scratch often implies a more thorough understanding and control over the codebase.
• Ecosystem Standing: Does the engineering team have influence within the ecosystem? Are other protocols being built with this wallet in mind?
• Regular Audits: Ensure that the wallet undergoes regular security audits and penetration testing. Look for adherence to high security standards e.g. ISO27001 (Information Security), SOC2 Type 1, Type 2.
• Dedicated Security Team: A wallet backed by a dedicated security team is more likely to maintain high security standards.

2. Performance and Uptime

• Incident History: Review the wallet’s track record for incidents where users were unable to transact. How often has this occurred, and what was the impact?
• Response Time: How quickly did the team resolve any issues that arose? Fast resolution times indicate a strong commitment to user experience and security.
• Vertical Integration: Is the wallet integrated with an RPC provider to ensure maximum uptime? Integration could lead to more reliable performance.
• Access to Innovation: Does the wallet offer unrivaled access to permissionless innovation, enabling seamless interaction with the latest DeFi opportunities?

3. Codebase

• Open Source: A wallet with an open-source codebase offers greater transparency and security. The community can review and contribute to its security.
• Battle-Tested: Look for a codebase that has been battle-tested over time and across market conditions, with significant assets managed through the wallet.

4. Customer Support

• Service Level Agreements (SLAs): When issues arise, what SLAs are in place? Quick, reliable support is essential for institutional users.
• Responsiveness: How quickly does the support team respond to inquiries, and how efficiently are problems resolved?
• Direct Access: What level of access do users have to the product and engineering teams? Direct channels can be a significant advantage in urgent situations.

5. Pre-Trade Risk Management

• Transaction Simulation: Does the wallet offer transaction simulation and security analysis before confirming trades? This can prevent costly mistakes.
• Security Integration: Most wallets offer basic security measures, but look for those that integrate multiple security providers, giving users the broadest possible risk management options.

6. MEV Protection

• Transactions are MEV protected: Does the wallet provide additional protections against MEV to ensure best execution for users?
• Custom RPC Endpoint: Does the wallet allow users to choose a custom RPC endpoint, such as a node with Flashbot implementation, to protect against MEV exploitation?

MetaMask Institutional’s (MMI) Security and Performance: A Benchmark

While we can’t speak for other Web3 wallets or connectors, here’s how MMI measures up to the criteria outlined above:

Security Culture, Audits, and Penetration Testing

• Proven Resilience: MMI shares the same code base as MetaMask, and it has been battle-tested through multiple bear and bull markets since 2016, and garnered the largest market share.
• Expert Engineering Team: MMI has a team of 100 dedicated engineers focused on maintaining stability, reliability, and performance.
• Dedicated Security: A world-class security team supports MMI, making it the only enterprise-grade wallet that is SOC 2 Type 1 certified, with Type 2 certification in progress. Consensys is also a ISO27001 (Information Security certificate) company.
• Transparent Testing: MMI undergoes yearly penetration tests, with results publicly available for user review.

Performance and Uptime

• Rigorous Testing: The MMI Extension is subjected to the highest level of testing before being released to production.
• Up-to-date to: MMI is vertically integrated with Infura within Consensys, ensuring optimal uptime and performance.

Codebase

• Foundational Role: Many Web3 wallets are forks of MMI, meaning they rely on and must maintain and update a derivative codebase.
• Open Source: MMI's open-source code provides transparency and community-driven security.

Customer Support

• White-Glove Service: MMI offers a 4-hour SLA and provides users with direct access to the sales and product teams via dedicated Telegram groups.

Pre-Trade Risk Management

• __Comprehensive Security: __
• MMI has a native Blockaid integration that provides security alerts that helps safeguard users from diverse attack vectors. With the recent acquisition of Wallet Guard, MMI’s security will be further enhanced, improving scam and drainer detection, to provide a superior real-time protection against malicious dapps and scams, all while preserving privacy and self-sovereignty.
• Through the power of Snaps, MMI offers transaction simulation and pre-trade risk analysis, leveraging up to 10 different security providers. This allows users to tailor pre-trade security framework to their specific needs, ensuring a customizable and robust defense against potential threats.

MEV Protection

• Custom RPC Options: MMI allows users to select custom RPC endpoints, including nodes with Flashbot implementation, for enhanced MEV protection.
• Smart Transaction (Coming Soon): MMI will soon allow users to opt in to its smart transaction feature that natively protects users from harmful forms of MEV, stops transactions from reverting on-chain, and automatically bundles related transactions together to save on gas.

Conclusion: The Importance of Detailed Evaluation

In the fast-evolving landscape of Web3 and permissionless finance, the security and reliability of your chosen Web3 wallet are paramount. While many wallets might seem similar at first glance, a deeper evaluation of their underlying security features, performance history, and customer support infrastructure is crucial for institutions managing significant on-chain assets. Don’t leave your business’s future to chance. By taking the time to thoroughly assess these critical factors, you can ensure that your operations not only meet your business needs but also protect yours and your investor’s assets as you navigate the dynamic world of DeFi. If you’d like to discuss your specific requirements and make an informed decision, the MMI team is here to help and feel free to reach out to us at MMI_Sales@consensys.net.