Stealing ethereum with web3js?

If you have a UI for a project and it is hooked up to web3js are there any ways for a developer to empty user funds.

To be more specific- if you access a Dapp would it be possible for someone to steal funds through metamask?

Like can you build a script that would get users privatekey revealed when he is interacting with a dapp(malicious)

I don’t think Metamask is coded in such a way where it would deliver your private keys to a dApp that it’s communicating with. Only the user can reveal the private key on his or her end when interacting with Metamask.

Metamask just injects a web3 instance into your browser so that the dApp can read and write to the smart contract. When you write to the contract through the dApp, Metamask will prompt you to sign the transaction with your private key which is done on Metamask’s end. The transaction is then broadcast to the network for processing.


Hi there, yeah I think I know what you’re saying here.

Yeah metamask asks you to verify any txs before you do it basically.