Account Migration Guide
Does this article need to be translated?
This guide details the process of transferring the contents of all the accounts in your wallet to new accounts derived from a different Secret Recovery Phrase. You may be looking for instructions on how to perform "key migration", or you may have been told your SRP has been compromised. Maybe you have seen some unauthorized transactions in your accounts, or suspect someone has access to your wallet.
Whatever the reason, this guide is for those who want to move all their crypto assets to new, safe, accounts.
If you're in a hurry, and need to get started now, follow the steps below.
There is a lot of background information that can help you understand what's going on. If you get confused during the process, or would rather understand before proceeding, read the in-depth information further down in this article. Hopefully our explanations clear things up.
How to migrate your cryptoassets to new accounts
Step One: Ensure a safe environment
In order to keep your new SRP safe, you need to be in a safe situation.
This means:
- You are not being physically observed
- Your system is free from malware or spyware
- You have a secure medium on which to record your new SRP
- You are not being directed to do this by a person you don't trust
- You are not doing this under duress
- Traffic on your Internet connection is not being monitored
- Hint: a VPN connection under such circumstances can be very helpful!
Step Two: Generate a new SRP
This is easily done, in a matter of minutes, using MetaMask: you don't even need to change browsers.
- Follow the instructions here to create a new browser profile
- Navigate to https://metamask.io/download/ (type in the address: don't click on a web search result)
- Alternatively, find MetaMask in the Android (https://play.google.com/store/apps/details?id=io.metamask) or iOS (https://apps.apple.com/us/app/metamask-blockchain-wallet/id1438144202) stores
- Install the extension or application, and step through the process to create a new Secret Recovery Phrase
- Make note of that new Secret Recovery Phrase, and keep it somewhere safe
Step Three: Get a safe address to send your tokens to
- Follow the instructions here to copy the public address of the default account generated by your new SRP.
- Have that address at hand on the device that has the "source" SRP; it might help to open it in Etherscan, or you could hold it in a synced note, because it's a public address--you should never, ever, ever put an SRP in a cloud-synced note app.
Note: You can generate as many accounts as you want in your new SRP, and divide up your tokens however you wish among them. Also, if you have a hardware wallet on hand, now would be a convenient time to transfer assets to an address generated by an SRP that is only present on your hardware wallet.
Step Four: Transfer your stuff
This part of the process will vary depending on your specific situation. You may need to do some reading below.
The process is currently manual: you will be sending all of your assets to the new address(es), one transaction at a time. If you're unfamiliar with sending assets, see here.
Note: We are currently in the process of getting up-to-date tooling to help automate this process. The tools listed in the section further down may or may not work for you, and are not endorsed or affiliated with MetaMask. When we have a better process in place, we will update this article.
Your network gas tokens (ETH, POL (previously MATIC), etc.) should be the LAST THING YOU TRANSFER. Otherwise, you'll have no way to pay for the transfer fees of your other assets.
- Start with NFTs
- NFTS are likely to be the most expensive to transfer, so start with these. Currently, you can use MetaMask Mobile to transfer them; also, you can use OpenSea's transfer function.
- Keep in mind: if your account has been compromised, then adding more of the network's gas token to your account in order to transfer assets out of it may result in the new gas token balance being "swept out" before you can take any actions. If this is the case, see here.
- NFTS are likely to be the most expensive to transfer, so start with these. Currently, you can use MetaMask Mobile to transfer them; also, you can use OpenSea's transfer function.
- Move on to other ERC-20 tokens
- Gas Tokens: First in, Last out. Depending on the contents of your accounts and the network you're on, you may use a significant amount of the network gas token--so don't send it away while you still need it!
- Remember, ETH isn't technically an ERC-20 token, so automated ERC-20 sweeping tools may not automatically include balances of ETH.
Note: If you transferred an ENS name to your new address, and you use that ENS name to receive cryptoassets, make sure you update the routing information in the ENS app so that assets routed to that ETH name go to the new address, and not the old one!
Step Five: Switch networks and repeat
Yup, you guessed it: we live in a multi-chain era, which means that if you've got assets on multiple chains, they have to be transferred on those chains.
- Use the network switcher to change networks
- Follow steps 1-3
Help! I don't even know what stuff I have, and where it's at!
We totally understand. It's easy to end up with stakes in lots of protocols, all over the decentralized web.
Take a look at the section below, titled "What assets do I have?"; it will give you a good start.
Step Six: Did you remember your private keys?
Many MetaMask users have imported certain accounts from other SRPs into MetaMask. These accounts ARE NOT "backed up" by the SRP. They WILL NOT be restored by importing your SRP into another instance of MetaMask. You MUST ENSURE you have access to the SRP or other mechanism that produced them.
That said--if it was your SRP that was compromised, and not your system environment itself, then imported private keys may be safe.
If your SRP or wallet has been compromised, it is possible that you have had a sweeper bot placed on your account. If this is the case, then as soon as you transfer tokens in, they may be transferred to the attacker's address. This can be a complex situation to remedy; for much more detailed information, see here. See also the section below on Flashbots Whitehats.
If you do have a sweeper bot on your account, or think you may, keep an eye on the suspicious address using Blocknative's mempool explorer.