Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.
The MetaMask Security team's April 2022 report covers Endo's CommonJS compatibility milestone for our npm dependency chain, LavaMoat v6's new 'a'a package naming notation cutting metamask-extension execution time roughly 600x from 10 minutes to under 1 second, MetaMask Extension adopting LavaMoat v6 supply chain protections, LavaMoat's lockdown() reaching React Native compatibility to open a path to MetaMask Mobile, and an iCloud backup advisory for MetaMask vault data. Dive into the details below, but first...
Featured STEM pioneer: Butler Lampson, father of capability-based computer security
Butler Lampson is an American computer scientist who formalized how software controls access to resources. His access matrix model, developed in the early 1970s, unified capabilities and access control lists into a single framework—and earned him the Turing Award in 1992. The capability-based isolation he pioneered is the theoretical foundation for the compartment sandboxing that Endo and LavaMoat use to protect MetaMask today.
Endo achieves CommonJS module compatibility, surfaces remaining gaps in npm package loading
Endo's CommonJS support reached a milestone in April 2022. End-to-end tests on real packages from the npm ecosystem—mostly selected from MetaMask dependencies—surfaced cases where CommonJS support was insufficient and helped drive the implementation. A test comparing multiple export shapes from CommonJS imported in ESM across Endo, Node.js, and a selection of bundlers helped set goals and avoid regressions.
The most notable changes in Endo CommonJS support during this period included wiring up exports to import * and introducing an implicit default export, improving the lexer to detect all occurrences of require and postponing missing package errors to runtime, refactoring exports handling to make module.exports the default and identify named exports, and adding support for nested package.json with type:module and arrays of optional values in package.json exports.
Progress is tracked in the CommonJS tracking epic.
Endo now supports loading CommonJS modules correctly. All remaining issues when loading real packages from npm fall into four categories: use of missing features (like require.resolve or import.meta), modification of globals and intrinsics, triggering filters protecting from injecting imports or HTML comments, and incorrect export mapping and module type resolution by Endo.
Endo experimental run command executes JS files with compartment isolation
Based on existing tooling used to wire up Endo end-to-end tests, an experimental endo run command can now execute a JS file with compartments—similar to node app.js but with Endo's isolation model applied.
Currently, all Node.js core modules are made available to require/import by the codebase and dependencies. Further work should add support for policies from LavaMoat.
LavaMoat v6 'a'a package naming cuts metamask-extension execution time 600x, from 10 minutes to under 1 second
LavaMoat v6 shipped with a new package identifier notation to prevent issues from impersonation and package name reuse. The notation, dubbed 'a'a, is now used for keys in policy files.
The initial implementation's performance was heavily impacted by inefficiencies in Node.js when looking up and accessing files. A first attempt at performance improvement—limited to two cases of simple memoization—took the worst-case execution time of 'a'a in metamask-extension from 10 minutes to 30 seconds. The cost of spikes in memory usage was too high.
A second iteration of performance diagnostics and improvements delivered over 25x less time and RAM compared to the first iteration results through a new algorithm, eliminated recursion, and local performance improvements to Node.js module resolution.
In total, the execution time improvement was roughly 600x between the first complete implementation and the current version.
MetaMask Extension adopts LavaMoat v6 supply chain protections
MetaMask Extension is now running under the protections of LavaMoat v6, with the rollout-+ tracked in PR #14488.
LavaMoat lockdown() reaches React Native compatibility, opening path to MetaMask Mobile
The fundamental step to making LavaMoat operative in React Native applications is running the SES lockdown() function. The lockdown() function protects software against supply chain attacks by listing the primordials in JavaScript and freezing prototypes, making it unlikely for a malicious actor to perform a prototype pollution attack.
A detailed writeup of the insights found during this engagement is in the React Native Compatibility Tracker. Key facts to accomplish compatibility are : allowing Metro to run the SES bundle by running .cjs files, adding specific lockdown options, removing Babel plugins, and removing the Promise polyfill. Other issues are specific to the MetaMask Mobile application, such as Sentry and EthereumJS dependencies.
The result is a pull request into the MetaMask Mobile application repository. Next steps include running end-to-end tests to confirm that lockdown() did not break additional functionality before proceeding to the next stage: integrating LavaMoat into MetaMask Mobile.
iCloud backup found to include password-encrypted MetaMask vault data
Apple users who have enabled iCloud backup for app data may be backing up their password-encrypted MetaMask vault without realizing it. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. MetaMask published guidance on X with steps outlining how to control this setting on their devices.
MetaMask’s April 2022 Crypto Security Report covered Endo's CommonJS compatibility milestone for MetaMask's npm dependency chain, LavaMoat v6's 600x performance improvement in metamask-extension through the new 'a'a package naming notation, and the iCloud backup advisory for MetaMask vault data. Browse previous editions of the MetaMask crypto security report for more threats, trends, and tips for staying safe across the ecosystem.