Reimagining self custody

“What's behind the fox? It's you. It always has been, and now it will be more than ever.” 

For over 8 years and millions of users annually, MetaMask has been the gateway to crypto self-custody, empowering people to control their own assets, build freely, and engage with web3 on their terms: in short, to have agency in their digital lives. The future of web3 depends on self-custody: for it to become the default choice for users, we need to make wallets more intuitive, connected, powerful, and safe.

Today, we’d like to share our near-term product roadmap: guided by our vision for how crypto wallets can evolve to support mainstream adoption by offering services that are better than a bank, and how MetaMask is transforming to be capable of playing a central role in a user’s financial life.

MetaMask, then and now

MetaMask was founded in 2016 supporting just a single chain: Ethereum. As the first browser-extension based wallet, we established many of the patterns that define web3 interactions today: an API for websites to propose Ethereum interactions to the user. A connection to a trusted blockchain source (Infura) so new users didn’t have to sync the entire chain. We soon added the ability for users to add their own custom network RPCs, custom tokens, and eventually even a plugin system called Snaps, all in the spirit of ensuring users can interact with any decentralized protocols they want… a spirit that remains to this day. 

We’ve come a long way since then: with millions of users annually, mainstream adoption seemingly within grasp, an improving regulatory environment, and key technology unlocks on the horizon with Pectra—there is reason to be optimistic. 

And we’re still really early.

But there are also challenges. We need to make web3 more usable, intuitive, and useful for everyone from power users to newcomers to crypto. The use cases are still limited. The number of networks is growing, and navigating them is complicated. Most importantly: we need to make wallets more powerful while also making them more secure.

To address these challenges, we’d like to share our near-term roadmap and some recent updates that have three primary goals:

1. Improve the user experience: make it easy

2. Connect everything, everywhere: make it seamless

3. Make wallets much more powerful and safe: make it good

Improving wallet and ecosystem UX

The foundation of our approach to the design of MetaMask is in balancing maximizing security while granting radical empowerment. While that has resulted in the most popular and secure wallet in web3, the user experience is still behind where we want it. We think we’re on the verge of unlocking some major improvements that will feel obvious in hindsight. We’re going to achieve this by making transactions smarter and simpler, abstracting away networks and gas, and by improving the core wallet experience.

Smarter and simpler transactions

At the heart of a crypto wallet’s experience is transactions. Traditional cryptography just had you signing and encrypting, which is a trivial operation that doesn’t require user review. In Ethereum, a signature can mean anything, from a vote to giving away your life savings, so the interpretability and performance of those transactions is critical to the product’s effectiveness. Also, the transaction is only valid once processed by a public network, which happens to have all sorts of adversaries in its “dark forest” who would be happy to play against you.

We introduced Smart Transactions in 2024. Enabled by default for new installs, Smart Transactions vastly improve the experience of swapping and transacting. Working behind the scenes to solve some technical limitations of a public mempool, Smart Transactions have resulted in an overall transaction success rate of 99.995%, including for Swaps (a type of transaction that has the worst reliability): this is 400x better than you might get on mainnet without Smart Transactions enabled. It’s 7000x more reliable than what’s typical for a user on Solana.

Smart Transactions also provide protection against front-running bots and MEV sandwich attacks: in July of 2024, $11 million in value was siphoned off of user transactions on mainnet. But among the millions of MetaMask users, that value was $5. You’re 400 times less likely to be affected by these bots when using MetaMask Swaps.

To make transactions simpler, we’re introducing ERC-5792 batched transactions, so users can perform common sequences of transactions like “Approve & Swap” in one click, saving them time, gas cost, and mental effort.

Goodbye, gas

Gas plays an important role in web3, but it’s another barrier for every user interaction. Users don’t want to think about another game mechanic every time they make an action, and often users don’t have ether to pay for gas: on mainnet, this interrupts ~25% of transactions. Having to hold a balance of a network token in every account you use is a complication that hinders onboarding. We have several features–launched and coming soon–that help make gas increasingly disappear to users.

First, we introduced gas-included Swaps, so users can swap two tokens without having to possess ETH in their account: the gas is included in their swap quote and is paid in the token they’re swapping.

Soon—in March—we’ll generalize this to all transactions, so to interact with dapps or send tokens, you can pay gas in whatever token you hold.

Longer term, we believe we can eliminate gas as a user-facing concern in nearly all interactions. (We’ll get to that!) 

Abstracting networks

Our ecosystem has grown far beyond Ethereum mainnet, and new networks and communities are growing daily. The UX patterns that worked for a world with a single chain are insufficient in a rich, multichain world. To address this, we have a number of features live and upcoming that abstract networks and make the user experience seamless.

One old pain has been requiring users to switch networks when interacting with sites that connect to different networks. We eased this pain by allowing sites to suggest the network switch, and I’m relieved to say we finally have gotten rid of even this user friction.

Bonus features

In March, we’ll be adding support for multiple SRPs (Secret Recovery Phrases) in the wallet for the users who want to manage several distinct wallets without needing separate instances of MetaMask.

We’re also adding Profile Sync, so users can easily switch between browsers and devices and keep all their account names and settings the same. This will be available in extension in April, and mobile in May.

Improving the core wallet experience

Alongside the core refactors required to enable multiple network connections, we’re rolling out a set of UI changes that reimagine the wallet for a many-chain world. Our redesigned home screen can show a user all their assets across many networks on each account screen, greatly simplifying navigating many chains.

These same patterns apply to and enhance the experience of Snaps, our plugin system, so any blockchains you add via Snaps will be integrated as intuitively and seamlessly across MetaMask.

These changes will include an updated trading view, giving users more sophisticated charting tools.

These changes will be rolling out over the next month.

Connecting everything, everywhere

In 2024, MetaMask users connected to over 850 networks. Up to now, MetaMask has primarily supported EVM networks with non-EVM connectivity provided via third party Snaps. 

The power of Snaps

Snaps allow for the permissionless addition of new networks and currencies. But there hasn’t been tight enough integration between our Snaps platform and our core wallet experience. So, we rebuilt the UI integration into the new multi-network home screen to permit much tighter native-like experiences. 

To prove it out, we’re going to launch a couple networks to showcase how powerful this new system is, which will come built-in to MetaMask and feel just like any other natively supported network. 

Hello, Bitcoin

Full bitcoin support is coming in Q3 this year: so users won’t need a separate wallet, or wrapped tokens, to hold bitcoin.

Here comes Solana

Coming sooner in May, we’re adding native Solana support to MetaMask, the first non-EVM chain supported out of the box. All MetaMask users will be able to buy, sell, swap, and interact with dapps across the entire Solana ecosystem. Existing Solana users will get access to the same security, reliability and rich features of MetaMask, along with access to all the chains you use with MetaMask today.

Connect to everything all at once with Multichain API

Our CAIP-25 multichain API will let dapps connect to more than one network simultaneously, EVM and non-EVM alike: a user will be able to connect to Ethereum, Linea, Solana, and Bitcoin networks all at once. This improves all sorts of use cases that involve multiple networks like portfolio rebalancing, bridging, or deploying and managing tokens on multiple chains at once. Expect the multichain API to launch in June.

Bringing crypto IRL with MetaMask Card 

Crypto is all just numbers on a screen until you can use it. Traditional crypto offramps involve storing funds in a custodial exchange, transferring to a bank, and only then being able to spend those funds.

MetaMask Card solves the key industry UX challenge surrounding how to bring crypto IRL. Leveraging Mastercard’s payment network, MetaMask Card connects your self-custody wallet with millions of vendors around the world. You can be earning staking rewards or yield on your favorite protocol with your favorite tokens and have those funds available to spend anywhere that Mastercard is accepted with just a tap. This is more than just a convenience, this is the last missing piece in the essential feature set for crypto: connection back to the real world. You can get it and use it.  The virtual card is available now in eligible countries and the physical Metal card will be available for select territories in April. 

More powerful and safe: self custody, reimagined

While we can improve wallet UX, and connect everything together, there is still a gap between where we want to go and where we are.

One hurdle we have to overcome comes from the EOA—the externally owned account—which forms the basis for how users have interacted with everything.

Up until now, the industry has been defined by programmable money. Tokens are smart contracts that provide a set of rules to everyone, but those rules are one-size-fits-all. That one token contract defines what that token can do, what permissions you can grant from it, and any additional functionality must be defined by a contract you deposit the token into, which becomes an opaque machine that users can only trust in terms defined by that token’s contract. The EOAs that people use to hold their funds are bare rails that can’t be programmed.

We think we can do better.

While the EOA and programmable money has taken us a long way, the next era of web3 will be shaped by programmable accounts. Smart-contract-based accounts allow us to solve a number of problems: allowing new powerful uses of the assets you hold, while simultaneously improving security. When the user defines their terms from their own programmable account, we greatly expand how the user expresses their agency in ways that are enforced by their own code. In essence, programmable accounts are how we can make the wallet more powerful and safe, and deliver our vision for a self-custody wallet that can serve as the center of a user’s financial life.

Imagine a future

Meet Alice. The year is 2025. Alice holds her most valuable assets in a multisig wallet with some keys entirely offline, and used those keys to grant access to a $200 daily budget to a hot wallet that she uses every day, along with the ability to trade within the most popular tokens on the DEXes that ensure common price clearing, but without withdrawing more than the daily allowance from the account. This permission was easily reviewed and issued from offline signers, with no transaction fee or transaction processing latency.

From her hot account, Alice is able to set a limit order on a new DEX with an entirely readable confirmation which guarantees their offered price without needing to trust any external infrastructure to guess at or simulate the DEX’s behavior. Again, with no transaction fee or processing latency.

Alice can then give a permission to an AI agent that will be able to trade on her behalf with the same token budget, in case it learns of a new token on social media that relates to her interests. Her funds are empowered by as many external agents as she can reliably trust, without needing to lock funds with them. Again, with no transaction fee or processing latency.

Alice is able to issue streaming token subscriptions, and spend directly from her preferred yield-bearing tokens anywhere Mastercard is accepted. The card issues her rewards, back to the same wallet, which are rebalanced according to her preferences automatically. Again, all of this with no transaction fees or processing latency.

A major hack begins draining user funds from one of the AI agents she’s subscribed to, but fortunately one of the security services that Alice’s wallet enabled by default was able to detect the first block of thefts, and revoke Alice’s permissions before she was affected, all while she slept soundly.

This is not a distant future vision: we’re building it.

EIP-7702 will ship in the Pectra hard fork—the upcoming upgrade to Ethereum. EIP-7702 will allow all EOAs to behave like smart accounts.

We authored ERC-7710 to define a standard interface for any smart account to grant arbitrary permissions: a critical interface enabling an open ecosystem of smart accounts and dapps that can request permissions from users. In the future, smart accounts that expose this interface could add privacy layers, compression schemes, or new ways of expressing users' intents, all while remaining compatible with sites that adopt this new connection standard.

We co-authored ERC-7715 to define an interface by which a website, app, or eventually anything might ask for a permission from your account. This can include any on-chain action, like token and NFT allowances, as well as streaming token subscriptions, and can support the wallet adding additional terms to the permission at approval time: an expiration time, an asset they expect to receive in exchange, or a security service that may revoke the terms. Granting these permissions requires no gas cost to grant, and are instant. They’re not needed onchain until they’re used. Sites can submit transactions on the user’s behalf; paid for from the granted permission.

How hot can cold be? Introducing MetaMask smart accounts

To realize all of the potential described above, we have built the MetaMask Delegation Framework. I like to call it the Gator (short for delegator). It allows us to grant open ended ERC-7710 permissions to other accounts, entirely offchain. We think it might be the most dynamic and powerful permission system you’ve ever used. In combination with the upgrades from Pectra, we can unlock these incredible new powers for all MetaMask accounts.

We’re building the Gator to allow MetaMask to receive ERC-7715 permissions requests, and let the user customize their approval with open-ended granularity. Thanks to EIP-7702, any MetaMask account will be able to grant the same permissions.

While permissions are great for reducing friction and enabling new use cases, we’ve also been exploring how we can use this account type to improve security. While a multisig is great for adding friction and review process to account actions, a multisig is only as safe as its actions are readable, so granting these account-defined permissions are a powerful way to ensure that multisig signers aren’t reliant on external simulation infrastructure to have confidence in what they’re signing.

Additionally, while multisigs are great at adding more layers of review, they can become cumbersome for approving smaller day to day operations that might be worth entrusting to a nimbler account. ERC-7710 delegations are a powerful tool for organizations to dynamically add new delegates that can perform arbitrary actions, which are always expressed in user-readable terms (even offline or from a hardware signer).

When used for a personal account, a user can keep one high-security account for the majority of their funds, but still grant the ability to spend funds, stake and un-stake, vote, and claim airdrops from a hot wallet, without risking losing more funds than they grant as a regular discretionary fund.

This paves the way for a web3 where every action is readable, and users aren’t forced to choose between the inconvenience and unreadability of hardware wallets and multisigs, or the convenience and usability of pure hot wallets. Through the Gator’s open ended permission system, users will be able to craft highly personalized policies that let them be nimble while staying safe.

Better UX that makes web3 easier to use, infinite connectivity inside crypto and out into the real world, and stronger account types that make wallets much safer and stronger—this is how we will make our vision for a next-generation wallet a reality.

A call to builders

Pectra and programmable accounts represent a huge opportunity to innovate the next wave of web3. What’s possible now? Just a few ideas for the eager developer:

• Subscription Payments: set up recurring payments for services, APIs, and digital goods.

• Seamless dapp onboarding: let users interact with web3 before owning crypto: Invitations to onboard with just a click. Links can include referral fees, making a web3 referral economy transparent and simple, without the rug-promoting dynamics of bonding curves.

• Permission-based interactions: give granular access to assets, contracts, and digital identities.

• Revocation services: the most responsive, widely enabled revocations of permissions.

• Overlapping permissions: give a number of independent entities access to the same assets inside a smart account. Don’t lock funds: Unlock them.

• Delayed transactions: grant a DEX permission to buy a token at a future value (ie creating a limit order off chain) with strong readability and safety guarantees.

• Decentralized AI Agents: securely delegate investment and financial decisions without ceding control or locking up funds.

And these are just a few ideas. It’s time to push the boundaries of what’s possible in the decentralized web, together. 

LFB!