MetaMask Security Monthly: May 2023

Security Laboratory

Ada Lovelace, considered the Mother of the Computer, 1815-1852

LavaMoat Update

• Merged 27 individual pull requests with dependency updates across LavaMoat packages. Updated versions included fixes for known vulnerabilities.
• Minor releases with updated dependencies and fixes for Node.js 18 compatibility
• Continued work on the ScorchWrap webpack plugin, with progress on including the runtime into the bundle itself and findings about compatibility with other plugins.
• Continued work on locking down MetaMask mobile, and dealing with uncaught exceptions when debugging with Chrome V8 in the form of TypeErrors from libraries, including ethjs.
• Progress on “scuttling” - the feature to disable access to common globals for the entire window incase endowments for a package were too wide.

Endo Update

• Improved cjs missing module error in compartment-mapper https://github.com/endojs/endo/pull/1580#pullrequestreview-1449297257

🗣️ Talks! 🎙️

Eval all the Strings! - Hardened JavaScript by Zbigniew Tenerowicz

MetaMask’s Zbigniew, or ZB for short, gave a talk in April for Node Congress in Berlin, and the anticipated video has been posted!

“This talk is about SecureEcmaScript and Compartments, which are TC39 proposals, and I'm working on tooling to make these concepts usable with people championing those proposals. This is a first-hand account of the future of JavaScript security. SES + tooling (LavaMoat or Endo) is making limiting access to network, fs, core modules or globals possible on a per-package basis. I want to show how they work, what possibilities they open and how to make that future happen today with some effort. To me this is the final step in securing npm supply chain - even if a package gets taken over by bad actors, it won't be able to hurt me.”

Check out his talk here.

From The Defiant: Maker of first Ethereum Wallet Taylor Monahan Explains $10M Hack and How to Stay Safe in Crypto

In April, Taylor Monhan and Harry Denley from MetaMask began an investigation into a massive multichain offensive that targeted crypto veterans. Along with breaking down the hack and tips on how to protect yourself, Taylor explores the concepts of “code is law” and “blockchain is immutable.”

This likely group of attackers used an unusual system, in that they swapped the assets that they were stealing within the victim’s wallet first before sending them to a DEX. The method used to breach the security of 300 individuals who had their recovery phrases exposed remains unknown, and it is assumed that the attack was not typical phishing activity.

Additionally, Taylor summarizes the evolution and current state of offenses and counter offenses in the space, as well as recommendations on how to be more secure, including using a hardware wallet and decentralizing your holdings by keeping them in multiple wallets.

Wallet Drain and Seedphrase Compromises

If your wallet does get drained, you don’t have to be a security research expert to try and figure out how. @Jon_HQ posted a thorough checklist on Twitter that can guide you through your own investigation.

Getting your wallet drained sucks, but getting drained and not knowing how is even worse.

The following thread is a checklist of things to review if you get drained and can't figure out how.

This thread is best bookmarked and referred to later if you ever need it. pic.twitter.com/9K8vK1UPfF

— Jon_HQ (@Jon_HQ) May 4, 2023

🔍 Imposters 🔎

From the FTC: Those urgent emails from MetaMask and PayPal are phishing scams

A consumer alert from the Federal Trade Commission warned the public to be extra cautious about messages supposedly from services related to crypto. When dealing with any unsolicited email, avoid the urge to act quickly, regardless of what the email says. Creating a false sense of urgency is a standard scam tactic, because the scammers are counting on panic to override critical thinking.

Don’t click on any links from unsolicited emails, and update your security software regularly.

“If you get a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. Then tell the FTC at ReportFraud.ftc.gov.”

Emails from MetaMask impersonators only can be forwarded to phishing@phishfort.com.

How do I recognize the real MetaMask?

Many websites, emails, and social media profiles imitate MetaMask, attempting to access your accounts and steal your funds. This knowledge base article outlines how you can tell them apart from the real thing, as well as how to make sure you’re using the proper support channel.