MetaMask Security Monthly: March 2023

Security Laboratory

Faith Lillibridge at the NORC console fifth floor, Columbia University Watson Lab, 1954.

Endo

• Our attempts at plugging into webpack transforms without compromising the original import/export statements have been unsuccessful, unless we deconstruct webpack and utilize some of its parts as a framework for creating a bundler. However, we have decided to halt this endeavor and seek a more simplified solution. Therefore, we are experimenting with a new method in LavaMoat (see below).
• The latest update to Endo compartment-mapper includes exitModuleImportHook, which allows for the dynamic importing of exit modules instead of requiring users to provide a pre-built list. This is the final significant feature required for compartment-mapper to serve as the backend for lavamoat-node.
• Endo SES whitelist has received a minor update for React Native Android JSC in https://github.com/endojs/endo/pull/1511, bringing an old issue to a close https://github.com/endojs/endo/issues/660 (more recently https://github.com/LavaMoat/docs/issues/16) and being further looked into in https://github.com/react-native-community/jsc-android-buildscripts/issues/181.

LavaMoat

• We are exploring an alternative method to secure bundling by utilizing a webpack loader to implement compartmentalization and adding the essential runtime later. This approach maintains the unchanged layers above the loaders, enabling most features such as treeshaking to operate seamlessly. However, the main hindrance to its success is the likelihood of custom plugins altering the code in unforeseen manners.
• The scuttling security feature, which was introduced a while ago (#360), can now be applied to all potential same-origin child realms (eg. iframes) in the browser by configuring the experimental “scuttleGlobalThis” option combined with Snow (check out the progress #462.
• React Native support has been resurrected/revived, beginning (again) with Endo SES lockdown integration (originally for RN v0.66.5), but now with RN v0.71.4 and MetaMask mobile app integration underway. Progress tracking epic: https://github.com/LavaMoat/docs/issues/12
• Minor update to LavaMoat Browserify examples have be viewed in https://github.com/LavaMoat/LavaMoat/pull/476

🗣️ Talks! 🎙️

Better Dapps with Delegatable by Dan Finlay

Dan made his debut appearance at EthDenver by sharing his vision for how delegating can make building dapps safer and easier!

“There are a lot of people claiming airdrops and then getting all their money taken. That's been kind of a repeating pattern … Delegatable lets you do anything you can do on a contract to another account. It's got an open-ended caveat system so you can attenuate the ability you're sharing in any way you want. And that can let you keep hot wallets cooler by limiting what they can do while allowing them to still do stuff on chain.”

JS Realms, Security Blank Spot by Gal Weizman

Join Gal as he discusses the increasing dangers of supply chain attacks that are associated with dependencies, and how Snow JS can help cover your back!

Topics include:

• Evolution of the web
• The importance of security and visibility
• Third-party solutions
• JavaScript Realms
• Snow JS

Watch out for airdrop scams!

There has been a lot of dubious activity surrounding airdrops recently. MetaMask published an article in February about the dangers of rugpulls and airdrops, and we’d like to remind you that, as exciting as “free money” sounds, there are a number of ways that bad actors can use the practice to their advantage.

Always make sure you're getting your information from the source. When unfounded rumors started popping up on social media that MetaMask was going to be taking a snapshot and/or airdrop on March 31, we alerted the community. Go to the source and be skeptical of internet strangers claiming to have “insider information.”

🚨There are quite a few false rumors going around about a MetaMask snapshot/airdrop/etc. on March 31.

These rumors are not only false, but they are dangerous. They create opportunities for scammers and phishers.

Please be on the lookout for fake sites in the coming days🙏

— MetaMask 🦊💙 (@MetaMask) March 28, 2023

Days before the Arbitrum airdrop, an announcement was made by @ArkhamIntel when it was discovered that around 2400 wallets were targeted in anticipation of the event. In the aftermath, Coinbase covered just how many things can go wrong, with their coverage Arbitrum Shows Just How Messy (and Tricky) Crypto Airdrops Can Be.

gm

A reported hacker on Arbitrum has been sending money over the past 12 hours to around 2400 presumably compromised wallets.

These wallets then approve the ARB token in anticipation of receiving the airdrop.

address - 0x59d4087f3ff91da6a492b596cbde7140c34afb19

Stay safe!

— Arkham (@ArkhamIntel) March 20, 2023

Other stories about airdrop scams that occurred just in March include Polkadot, ShibaInu, and OpenAI DEFI (GPT-4).

Tales of Caution

🚨 If you're using Cloudflare for your web3 product, stop what you're doing right now.

You NEED to:

1. Rotate the Global API Key for all your accounts

2. Remove all accounts added to your Cloudflare unless you rotated their Global API Key in step 1https://t.co/z913LMCc85

— Tay 🦊 💖 (@tayvano_) March 23, 2023

3/

What actually went down :

1) @ETH_S4GE DMed in twitter telling me he like the contents/threads i wrote and would like to invite me to a 'Conference' in the metaverse with other panels of speakers

2) I thought why not? Its going to be a good personal branding for myself

— Nick (💙,🧡) (@Nicknick2109) March 14, 2023

Function Signatures - Known Malicious

And finally, you can view a basic rundown of how many of Monkey Drainer/Venom Drainer "Security Updates" contracts are deployed, victims count, total ETH and total USD / daily & total. Refresh the queries for current numbers. Brought to you by BlockmageAlchemyst.