This guide explains how MetaMask (the software hot wallet) interacts with smart contracts and common token standards: ERC-20, ERC-721, and ERC-1155. I’ve tested transactions, approvals, and token imports across mobile and extension builds. What follows is practical: how MetaMask reads balances, how token approvals work, and how to reduce risk when connecting to DeFi and NFT dApps.
Short answer: MetaMask itself is a client. It does not "hold" tokens in a private database; it signs transactions for your externally owned account (EOA) and submits them to the blockchain where smart contracts run. When you interact with a DeFi dApp, MetaMask builds and signs a transaction that calls a smart contract function (for example, approve, transfer, or swap).
MetaMask calls your RPC provider (Infura, Alchemy, or a custom node) to query chain state and to broadcast signed transactions. Transactions are executed by smart contracts on-chain, not by the wallet app. (This is why losing your seed phrase means permanent loss unless you can restore it.)
Below is a compact comparison to highlight measurable differences and how wallets typically treat each standard.
| Standard | Fungible? | Common on-chain calls | How MetaMask shows it | Typical UX notes |
|---|---|---|---|---|
| ERC-20 | Yes | balanceOf, transfer, approve, allowance | Token balance in Assets list | MetaMask reads balanceOf via RPC; decimals matter for display |
| ERC-721 | No (unique) | ownerOf, tokenURI, safeTransferFrom | NFT tab / collection view (mobile) or token contract entry | Metadata often fetched from IPFS or HTTP; metadata availability varies |
| ERC-1155 | Semi-fungible | balanceOfBatch, safeTransferFrom, isApprovedForAll | Partial support; may appear as grouped items | Multi-token contracts can hold fungible + non-fungible IDs (UI varies) |
When a wallet detects a token it calls the respective contract functions and/or consults token lists for metadata. Token lists speed up display (symbol, decimals, logo), but the authoritative balance is on-chain.
This is a common search query: how are erc20 coins stored in metamask wallet? The precise answer: ERC-20 balances are recorded on the token contract on-chain. MetaMask does not "store" the coins—your address does. MetaMask stores the private key that can sign transactions using that address, and it stores local metadata (token names, symbols, icons) for display.
Mechanics in three steps:
And yes, that means the security of your tokens depends on private-key secrecy, not on the app UI.
If you want a deeper technical walkthrough, see developer RPC and node guide for how RPC calls work.
Step-by-step (ERC-20 example):
If a token isn’t detected automatically, use add-custom-token-to-metamask for a deeper walkthrough. I’ve had tokens appear in the mobile app but not the extension until I added the custom token manually; small UX differences exist across platforms.
Token approvals are the most common attack vector. When a dApp asks you to approve a token, it usually calls approve(spender, amount) on an ERC-20. That writes an allowance to the token contract granting the spender permission.
Step-by-step to revoke (general):
See token-allowances-and-revoke for a step-by-step guide with screenshots. But remember: revoking an allowance costs gas.
MetaMask supports direct injection (browser extension), WalletConnect (mobile connections), and an in-app mobile browser for dApps. The built-in swap feature routes across multiple on-chain liquidity sources using aggregator logic; you can set slippage tolerance and view estimated gas before signing.
Gas mechanics: MetaMask uses EIP-1559 fields (max fee, priority fee) when available and shows an estimated gas limit via eth_estimateGas. Actual fees depend on base fee (burned) and chosen priority (miner tip). See gas-fees-eip1559-l2 for tactics to save on L2s and timing.
Mobile often has a richer NFT view (collection thumbnails and metadata). The extension exposes assets and contract interactions but the NFT UI is less consistent across chains and networks. If you rely on NFTs, use the mobile app plus a marketplace to verify metadata.
Note: MetaMask is built for EVM-compatible chains. It will not natively support non-EVM blockchains (for example, Solana requires separate wallets). Add common chains via add-polygon-to-metamask or other guides.
Standard MetaMask accounts are EOAs that hold private keys locally. Account abstraction and smart contract wallets introduce contract-based accounts that can support session keys, gas sponsorship, and batched transactions. Support for contract accounts is evolving; see account-abstraction-smart-contract-wallets for current practices and how to connect contract-based accounts to MetaMask interfaces.
But even then, hardware wallets provide stronger security for large balances; see hardware-wallets-with-metamask if you want to combine convenience with improved safety.
Q: Is it safe to keep crypto in a hot wallet?
A: Hot wallets are convenient for DeFi activity and daily swaps. They trade some security for usability. For long-term storage of large amounts, I personally pair them with a hardware wallet.
Q: How do I revoke token approvals?
A: Use token-allowances-and-revoke or an on-chain approvals explorer. Revoke by sending a signed transaction to set allowance to zero.
Q: What happens if I lose my phone?
A: Restore MetaMask on a new device using your seed phrase. If you lack the seed phrase or backups, funds are unrecoverable.
MetaMask acts as a bridge between your private keys and on-chain smart contracts. ERC-20, ERC-721, and ERC-1155 tokens live on their respective contracts; MetaMask reads and signs interactions but does not "store" token balances off-chain. If you want hands-on practice, try sending a small ERC-20 transfer, then verify the transaction input shows transfer(to, amount) on a block explorer (see using-etherscan-with-metamask).
If you haven’t yet installed MetaMask on desktop or mobile, follow these setup guides: install-metamask-chrome-extension and metamask-mobile-ios-android. For advanced topics—custom RPC, L2s, or running your own node—check developer-rpc-and-node-guide.
Ready to test a token interaction safely? Start with a small transfer and review the signed calldata before you confirm. And yes, review your token approvals regularly.