Crypto Security Report: November 2022

Featuring LavaMoat's rollout of Snow and global scuttling to the MetaMask Extension, the case for integrating Snow into MetaMask, a Twitter Space on Snaps and self-custody after the FTX collapse, and Google Sites and Telegram trading bot scams.

6 minutes
Crypto Security Report: November 2022

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

November 2022 saw LavaMoat roll Snow and global scuttling into production for all users, including MetaMask Extension, alongside a quadruply-backflipped SES build, Node.js domain taming, and an initial bin confusion mitigation, while Endo prototyped a general-purpose bundler and the Threat Intelligence Team started a STIX-based DeFi incident database. On the community side, MetaMask shared Kumavis's Devcon talk on JavaScript supply chain security, Gal Weizman made the case for integrating Snow into the extension, and a Twitter Space explored how Snaps can strengthen self-custody in the wake of the FTX collapse. Cautionary tales rounded out the month: Google Ads and Google Sites phishing, a malicious Chrome extension pushed through fake Flash Player updates, and Telegram trading bot scams. The full breakdown is below, but first...

Daphne Oram (1925–2003) co-founded the BBC Radiophonic Workshop in 1958 and pioneered the technique she called Oramics, drawing shapes directly onto film to synthesize sound. Her work translating hand-drawn patterns into precise signals prefigured the kind of signal-and-pattern thinking that underpins how self-custodial wallet software verifies data. Oram spent her career insisting that highly technical tools could be made expressive and accessible to non-specialists.

LavaMoat rolls out Snow and global scuttling to the MetaMask Extension

November 2022 marked a significant production rollout for LavaMoat. Snow (recursive iframe and realm security) and global scuttling (removing original global references after policy-based capture) shipped for all LavaMoat users, including MetaMask Extension. A "quadruply backflipped" version of SES with several powerful updates was introduced into LavaMoat for the upcoming release, including domain taming in Node.js—notable because some packages still use Node's long-deprecated domain module. The initial version of bin confusion attack mitigation was merged into @lavamoat/allow-scripts, to be available behind a flag in the next release. A new CLI for setting up all LavaMoat tools in a repository through a few guided questions was also in development.

Endo prototypes a general-purpose bundler on its compartment mapper

The Endo project experimented with using Endo to power a bundler, building a proof-of-concept general-purpose bundler on top of its compartment mapper. The work triggered a range of features and improvements across the Endo codebase, including a fix to a bug in how named reexports are handled.

MetaMask threat intelligence team builds a DeFi incident database on STIX

MetaMask’s Threat Intelligence Team began work on a standardized data store for incidents in the decentralized finance (DeFi) space. The records use the STIX (Structured Threat Information Expression) language, aiming to serve as a source of truth that provides insights to both specialists and enthusiasts tracking DeFi security incidents.

MetaMask co-founder Kumavis  shares JavaScript supply chain security talk at Devcon 2022 

MetaMask’s own Kumavis presented a Devcon 2022 talk called The Attacker is Inside, on JavaScript supply chain security. He explained  how software supply chain attacks work in the JavaScript and crypto ecosystems—where every project builds on shared open source—and how MetaMask’s free, open-source LavaMoat tool that protects users and their wallets.

Gal Weizman makes the case for integrating Snow into the MetaMask Extension

LavaMoat contributor Gal Weizman published "Integrating Snow into MetaMask", arguing for deploying the Snow browser security technology directly into the MetaMask browser extension. Snow enforces recursive realm ownership across all iframes, closing the attack surface where newly created browser realms are used to reach untampered API references and bypass policies applied to the top-level window.

Snaps can improve self-custodial security: FTX prompts a Twitter Space on account management

In the wake of the FTX collapse, a Twitter Space hosted by MetaMask brought together Christian Montoya (MetaMask), Zen Yong (Web3Auth), and Chirag Titiya (Biconomy) to discuss how permissionless innovation through MetaMask Snaps can help users take control of their own funds and better protect their Secret Recovery Phrases. As Zen Yong put it, the FTX event "could have had less of an impact on crypto in general if more people were to [practice] self custody." Montoya noted that the goal is to let developers build new account management options into MetaMask—giving new users easier, safer choices that reduce the risk of losing a key or having an account compromised.

Phishing campaigns continued to abuse Google infrastructure to target crypto wallet users. The Verge previously documented how phishers use Google Ads to trick people out of their crypto, and users should also watch for URLs beginning with "sites.google." As Mashable reported, scammers have also found success building phishing websites on Google Sites, copying the designs of trusted websites to trick people into entering sensitive information.

Malicious Chrome extension spreads through fake Adobe Flash Player updates

BleepingComputer reported on a malicious Chrome extension that gives attackers remote control of a browser. The extension is not available on the official Chrome Web Store and is instead circulated through alternative channels, such as websites pushing fake Adobe Flash Player updates. The takeaway for users: avoid installing browser extensions or "updates" from unofficial sources.

Telegram trading bot scams put wallet keys at risk

Warnings circulated on social media in November 2022 about malicious activity on Telegram and trading bots. Twitter user Big D  flagged a Trojan spreading through Telegram that could download to a phone through an easy-to-miss automatic setting, while another analysis examined how users’ Private Keys can be exposed within trading bots. The adoption of trading bots is rising,but granting them wallet access can put funds at risk.


MetaMask's November 2022 Crypto Security Report covered LavaMoat's production rollout of Snow and global scuttling to the MetaMask Extension, a Twitter Space on how MetaMask Snaps can strengthen self-custody in the wake of the FTX collapse, and cautionary tales spanning Google Ads and Google Sites phishing, a malicious Chrome extension, and Telegram trading bot scams. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Read all articles