Note: this is heavily based off of Ruben from Coinmonk’s 2021 article here. I do not mean to steal credit from a very obviously smart person. However, I am still doing this for 3 reasons. 1, my goal here is for this to be as simple as possible, leave out the complicated disk recovery stuff, and make it more non-tech friendly, 2, the more this info is out there online, the more likely someone is to find it and get use out of it, and 3, there were some details not in that article I found elsewhere, which I included here. In any other case I would not mirror (pun intended) someone else’s article so closely. Thank you Ruben!

Today, I did something incredibly stupid that caused my life to flash before my eyes. After much scouring the internet, and accessing a few life-saving nuggets of information, I managed to salvage what was about to be a terrible situation.

I am a Firefox user. Why? I don’t know; mostly because Mozilla is open-source, not Google, and I’ve just been using it for years and don’t feel like migrating. Firefox stores the user’s data (bookmarks, passwords, extensions, etc etc) in a folder called a Profile. Each browser can have multiple. These folders are where my woes begin.

Occasionally, Firefox asks you to ‘refresh’ the browser, to help with performance issues. Having never done this before, I happily obliged, because frankly Firefox performance is shit, and then quickly realized it had deleted ALL of my data from the browser, including ALL my Metamask wallets. For some of these, I had private keys backed up; no big deal. For others, I had no idea where the keys were backed up. How could I get them back?

Part One - Finding the Data

Thankfully when you refresh Firefox the system puts a dump of your old profiles on your desktop. This folder contains the data from your metamask wallets, but gaining read/write access to them is not as easy as it would seem.

First, navigate to Old Firefox Data/{PROFILE_NAME}/. The names will have some letters and numbers, along with some words like ‘default’ or ‘default-release’. Its most likely that you only have one profile.

Inside you’ll see something like this:

Now, navigate to storage/default/. This is where browser session data from websites and extensions lives. Scroll towards the bottom until you see folders with moz++ at the beginning of their names. These are the data directories of your browser extensions. You’ll notice you can’t tell what they are by the folder names. That’s because each extension gets assigned a UUID when installed that is unique to this profile and moment of installation. There are some techniques to decipher them like this but I did not find that to be useful. The easiest way is to go folder-by-folder until you find it.

You might be asking, why not just copy the profile back into Firefox and have everything come back? I tried that, and for whatever reason, it does not seem to work. When moving the old data back into the Firefox app directory manually, the browser simply does not recognize the new data and acts as if the profile is brand new.

So you are going through each extension folder. The insides of them look like this:

Notice that each contains an sqlite database and some binary executables with numerical names. The database files might look interesting, but you can’t parse any of the information in there. What we’re after are the binaries.

You’ll need a tool called HexFiend, which you can get on the Mac app store or online, to open up these binaries. For each extension you’ll need to open them up and take a look inside. Press cmd-f to search for text inside the file (make sure to select the ‘text’ search option from ‘hex’). Now, to figure out if this is the metamask binary, search ‘metamask’. It should appear in the file. Other things to try if this isn’t working are the names of tokens you had previously added to the wallet, or the phrase ‘Keyringc’. Once you’ve found it, it is time for the next step.

Part 2 - Getting your Vault back

This binary file is actually compressed, so what you are seeing is not the complete form of the file. We need to expand it with a tool called snappy-fox that will decompress the file for us. For this part to work we need to do a few things.

First, if you don’t have it already, install Homebrew on your mac. This is a package management system for dev tools and lower level system things not in the app store. Open a terminal and run the command present on their homepage.

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Next in this terminal window run brew install gcc make to install the c compiler. Then run git clone https://github.com/berdav/snappy-fox.git && cd snappy-fox.

After this, we compile snappy fox by running make in the snappy-fox directory. Now copy the binary you found earlier into the snappy fox folder. Then run ./snappy BINARY_FILE_NAME out. This will make a new file called out that contains all the decompressed data.

When you open this out file in HexFiend, you should be able to see your wallet addresses present among other data. Now you need to search for the phrase KeyringController. Just after this phrase you should see {“ d a t a “ : followed by numbers, letters and slashes separated by spaces. This is your vault, or the data store that metamask uses to store your seed phrase. Copy all of this data, until you see =} and paste it into TextEdit on your mac. It will look like normal text but it isn’t so we will need to clean up these data a bit.

Go to File→Export as PDF and save the file as a pdf. Open up the file and copy this text into a new TextEdit file and save that as a .txt file. Now, we need to eliminate all the linebreaks in this text. Feel free to do it manually, but you can also run a global find-and-replace to change all instances of \n to nothing.

Part Three - Decoding

To decode this data back into a seed phrase, we will use the Metamask Vault Decrypter tool. The github page contains a live website for your convenience. Although normally inputting your password and vault into a website is absolutely ill-advised, it appears by looking at the source code that it makes no outside calls to servers or anything like that. Everything is executed locally in your browser and just served to you from Github. Nonetheless, in crypto, don’t trust, verify, so if you want you can also run this website locally.

First, run brew install node. Then npm install -g browserify && npm install -g beefy as the page states. yarn start should start the system in a local environment and output something like localhost:5000. Navigate to this page and you will see the tool running.

Paste your vault string into the first box, select ‘Paste text’ and then enter your password. Note that if the ‘decrypt’ button is greyed out then you have an incorrectly formatted vault string. Check for newlines or extraneous characters. The page will then output a second string that contains the 12 word seed phrase for your wallet. Congratulations, you did it!

The seed phrase covers all wallets that you created in that particular instance of metamask, but does NOT cover imported wallets. Presumably, if you have imported wallets, they also exist somewhere else you can access. Uninstall metamask from Firefox, reinstall it, then select ‘import wallet’ at the welcome screen and follow the instructions. You will see some of your wallets come back, but potentially not all of them.

To fix this last thing, just keep adding accounts (no need to name them) until the amount of accounts matches the amount of accounts you previously had. Metamask generates accounts from your seed deterministically, so account 1 for johnny’s seed phrase is always the same address. However, Metamask stops displaying wallets after the first account with no ETH in it, so if account 4 had 0 ETH, and account 5 has 2 ETH, you won’t see either until you manually add them back. You’ll also have to manually reconfigure networks. I hope this helps if you made a mistake! And for everyone else, be responsible, avoid this situation, and back up everything! Better yet, stop using hot wallets altogether and buy more hardware wallets.

Yours Truly,

NPC