Featuring the $10 million multichain hack targeting crypto veterans, a checklist for investigating a drained wallet, an FTC alert about phishing emails, and a Hardened JavaScript conference talk.
Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.
This month's biggest story: our researchers Taylor Monahan and Harry Denley continued investigating a roughly $10 million multichain hack that drained around 300 longtime crypto users whose Secret Recovery Phrases were exposed. The FTC also warned about phishing emails impersonating crypto companies, and a handy wallet-drain investigation checklist made the rounds. On the engineering side, LavaMoat merged 27 dependency updates and advanced its ScorchWrap plugin, MetaMask Mobile hardening, and "scuttling" feature; Endo improved its CommonJS error handling; and Zbigniew Tenerowicz's "Eval all the Strings!" Hardened JavaScript talk went live. The full breakdown is below, but first...
Featured STEM pioneer: Ada Lovelace, the first computer programmer
Ada Lovelace (1815–1852) was an English mathematician regarded as the first computer programmer for her work on Charles Babbage's proposed Analytical Engine, including an algorithm to compute Bernoulli numbers. She also foresaw that such a machine could do far more than pure calculation. That early insistence on precise, verifiable logic is the same discipline that trustworthy software security still depends on.
LavaMoat update: 27 dependency pull requests, ScorchWrap, mobile lockdown, and scuttling
LavaMoat merged 27 individual pull requests with dependency updates across its packages, including fixes for known vulnerabilities, and shipped minor releases with updated dependencies and Node.js 18 compatibility fixes. Work continued on the ScorchWrap webpack plugin, with progress on including the runtime in the bundle itself and findings about compatibility with other plugins. Our team also continued on working on LavaMoat's supply-chain protections to MetaMask Mobile—so that even a hijacked dependency can't access sensitive browser APIs. As part of that effort, the team resolved uncaught exceptions (TypeErrors thrown by libraries such as ethjs) that appeared when debugging under Chrome V8. Related work advanced "scuttling," a feature that disables access to common globals across the entire window when a package's endowments would otherwise be too broad.
Endo improves its CommonJS missing-module error in compartment-mapper
Zbigniew Tenerowicz's "Eval all the Strings!" talk on Hardened JavaScript
MetaMask's Zbigniew Tenerowicz (ZB) gave a swift talk, called Eval all the Strings!, at the Node Congress in Berlin in April 2023. In just over 7 minutes, ZB discussed Secure ECMAScript (SES) and Compartments—both TC39 proposals—and the tooling he's building to make them usable. In his words, "SES + tooling (LavaMoat or Endo) is making limiting access to network, fs, core modules or globals possible on a per-package basis … To me this is the final step in securing the npm supply chain—even if a package gets taken over by bad actors, it won't be able to hurt me."
“This talk is about SecureEcmaScript and Compartments, which are TC39 proposals, and I'm working on tooling to make these concepts usable with people championing those proposals. This is a first-hand account of the future of JavaScript security. SES + tooling (LavaMoat or Endo) is making limiting access to network, fs, core modules or globals possible on a per-package basis. I want to show how they work, what possibilities they open and how to make that future happen today with some effort. To me this is the final step in securing npm supply chain - even if a package gets taken over by bad actors, it won't be able to hurt me.”
The Defiant: MetaMask’s Taylor Monahan explains a $10 million multichain hack
In an interview with The Defiant, MetaMask Security researcher Taylor Monahan explained the multichain hack she and colleague Harry Denley began investigating in April 2023—a massive offensive targeting longtime crypto users—along with tips for staying safe and a discussion of "code is law" and "blockchain is immutable." The attackers used an unusual method, swapping the assets they were stealing within the victim's wallet before sending them to a decentralized exchange (DEX). The way the attackers breached roughly 300 individuals whose Secret Recovery Phrases were exposed remains unknown, and it is assumed the attack was not carried out through typical phishing methods. Monahan's recommendations for staying safer included using a hardware wallet and decentralizing holdings across multiple wallets.
A wallet-drain investigation checklist from Jon_HQ
If a wallet does get drained, figuring out how the attack happened doesn't require being a security researcher. Twitter user Jon_HQ posted a thorough checklist on Twitter, shared on May 5, 2023, that walks through the steps to review when investigating a drain—worth bookmarking for reference.
Getting your wallet drained sucks, but getting drained and not knowing how is even worse.
The following thread is a checklist of things to review if you get drained and can't figure out how.
FTC warns that urgent Crypto Company emails are phishing scams
A consumer alert from the Federal Trade Commission (FTC) warned the public to be extra cautious about messages that appear to come from crypto-related services. With any unsolicited email, the FTC advised against acting quickly regardless of what the message says—manufacturing a false sense of urgency is a standard scam tactic meant to override critical thinking—and recommended not clicking links in unsolicited emails and keeping security software up to date. Phishing emails from MetaMask impersonators can be reported at https://support.metamask.io/chat.
How to recognize real MetaMask accounts vs fake accounts
Scammers frequently impersonate trusted crypto brands. Setting up lookalike websites, emails, and social media profiles to trick users into handing over account access. To help you stay protected, our support knowledge base explains how to recognize the real MetaMask and how to make sure you're using the proper support channel.
MetaMask's May 2023 Crypto Security Report covered Taylor Monahan's continued investigation into a $10 million multichain hack targeting longtime crypto users, an FTC alert on phishing emails impersonating crypto companies, , and Zbigniew Tenerowicz's "Eval all the Strings!" talk on Hardened JavaScript. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.
Alpha를 구독하고 시장 알파를 이메일로 바로 받아보세요
Luker
Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.