MetaMask Security Monthly: April 2023

Security Laboratory

Michael Faraday, contributor to the fields of electromagnetism and electrochemistry, c. 1850s

Endo

• exitModuleImportHook has been renamed to importHook and awaits merging in compartment-mapper.
• SES 0.18.3+ now includes previously mentioned React Native Android JSC fix regarding nonstandard AsyncGenerator and AsyncFunctionPrototype.
• Exploration on BigInt compatibility with MetaMask mobile libraries was completed to determine the best path forward for mobile, while evaluating SES compatibility. The big-integer shim does not yet fully support @ethereumjs/util. React-native-v8 is fully compatible, but has a blocking performance issue open. Hermes provides a working BigInt implementation but presents other compatibility issues for MM and doesn’t support the with statement necessary for SES.
• Various TypeErrors with SES 0.18.3+ under investigation on RN 0.71.6 are getting us closer to locking down MetaMask mobile, which is currently being upgraded from 0.66.5, including RN 0.72.0-rc1.

LavaMoat

• The LavaMoat team had representation at React Native London meetup and Node Congress Berlin - look out next month for the video of a talk given by our own Zbigniew Tenerowicz!
• Last month’s approach to secure bundling worked. However, limitations were so severe that we had to go from loader to a plugin, and find a better stage in the bundling process for performing the wrapping of each module. The plugin PoC, codenamed ScorchWrap, is capable of seamlessly creating a basic bundle with real dependencies regardless of the types of code there (CommonJS, ESM, or built typescript). Further work is needed for compatibility with other plugins and large-scale testing.
• Kicked off early research into SES compatibility with Hermes: https://github.com/facebook/hermes/issues/957
• @lavamoat/allow-scripts Yarn Berry (3+) support has started
• Presentations on React Native new architecture, including LavaMoat and locking down React Native, are underway

✨MetaMask Feature Highlight✨

OpenSea Transaction Security

This experimental, opt-in feature was announced on April 5, and has already been responsible for preventing over 4k transactions that would likely have resulted in lost funds! We’re excited about this cross collaboration between MetaMask, OpenSea, and Blockaid (who lends their analysis of ecosystem dangers to the feature) and are exploring even more ways to keep transactions secure.

As part of our ongoing commitment to keep our community safe and secure, we’re working with our friends @opensea and @blockaid_ on an experimental feature in @MetaMask that will warn users when interacting with known scams. pic.twitter.com/MPn9yE7utD

— MetaMask 🦊💙 (@MetaMask) April 5, 2023

Exploration of XSS Vulnerability on Snyk Advisor

MetaMask Security’s Gal Wietzman discussed his investigation in “CVE-2023-1767 - Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score.”

“tl;dr - a stored XSS in Snyk Advisor (domain:snyk.io) allowed me to fabricate the health score granted for packages in my control, which I leveraged into making it seem as my “malicious” package is in fact healthy, popular and legitimate, which could have served an attacker to convince others to install an actual malicious npm package.”

Dastardly Drainers

Venom Drainer

Monkey Drainer may be history, but Venom Drainer took its place almost overnight. Scam Sniffer has been keeping tabs, and released this report in early April:

New Scam as a Service Provider: Venom Drainer

💸 Drained $27M from ~15k victims, with the top 5 victims losing $14M
🐍 ~530 phishing sites created, targeting ~170 brands
🚨 Stats: https://t.co/6AHAgXskQD

— Scam Sniffer (@realScamSniffer) April 3, 2023

Monumental Drainer Campaign Targets Crypto OGs

Mid-month, Taylor Monahan and Harry Denley from MetaMask dove into an extensive probe when it was discovered that a multichain offensive was targeting people who have been active in the ecosystem for years - many of them well versed in personal security. The keys in question were created between 2014-2022. This investigation is still ongoing.

For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭

I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.

Its rekt my friends & OGs who are reasonably secure.

No one knows how. pic.twitter.com/MafntG7RkP

— Tay 💖 (@tayvano_) April 18, 2023

Good News

Coin Desk reports “Etherscan Reconfigures Blockchain Explorer Settings to Filter Out Potential Scams.”

“The blockchain explorer will now hide zero-value token transfer displays on its website by default. The setting aims to prevent users from becoming victims of "address poisoning" hacks, in which attackers send virtually valueless tokens to a user's wallet addresses to bait them into sending tokens to a scam address.”

Tales of Caution

Yup, phishing scammers are pretending there is a hack to try and trick users into using a fake version of @RevokeCash https://t.co/LgSdittZeJ

— hayden.eth 🦄 (@haydenzadams) April 14, 2023

Google Search Ad Phishing Has Resulted In $4 Million Being Stolen

We’ve mentioned these types of scams before, but it’s always a good reminder to double check URLs, use bookmarks when possible, and generally avoid any sponsored content in Google searches. There are several ad blocking extensions available that can help minimize this issue.