MetaMask Security Monthly: April 2023
The Security Lab team has been hard at work and there have been multiple security research investigations. Plus: exciting news about a new transaction security feature!
Michael Faraday, contributor to the fields of electromagnetism and electrochemistry, c. 1850s
exitModuleImportHookhas been renamed to
importHookand awaits merging in compartment-mapper.
- SES 0.18.3+ now includes previously mentioned React Native Android JSC fix regarding nonstandard AsyncGenerator and AsyncFunctionPrototype.
- Exploration on BigInt compatibility with MetaMask mobile libraries was completed to determine the best path forward for mobile, while evaluating SES compatibility. The big-integer shim does not yet fully support @ethereumjs/util. React-native-v8 is fully compatible, but has a blocking performance issue open. Hermes provides a working BigInt implementation but presents other compatibility issues for MM and doesn’t support the with statement necessary for SES.
- Various TypeErrors with SES 0.18.3+ under investigation on RN 0.71.6 are getting us closer to locking down MetaMask mobile, which is currently being upgraded from 0.66.5, including RN 0.72.0-rc1.
- The LavaMoat team had representation at React Native London meetup and Node Congress Berlin - look out next month for the video of a talk given by our own Zbigniew Tenerowicz!
- Last month’s approach to secure bundling worked. However, limitations were so severe that we had to go from loader to a plugin, and find a better stage in the bundling process for performing the wrapping of each module. The plugin PoC, codenamed ScorchWrap, is capable of seamlessly creating a basic bundle with real dependencies regardless of the types of code there (CommonJS, ESM, or built typescript). Further work is needed for compatibility with other plugins and large-scale testing.
- Kicked off early research into SES compatibility with Hermes: https://github.com/facebook/hermes/issues/957
@lavamoat/allow-scriptsYarn Berry (3+) support has started
- Presentations on React Native new architecture, including LavaMoat and locking down React Native, are underway
✨MetaMask Feature Highlight✨
OpenSea Transaction Security
This experimental, opt-in feature was announced on April 5, and has already been responsible for preventing over 4k transactions that would likely have resulted in lost funds! We’re excited about this cross collaboration between MetaMask, OpenSea, and Blockaid (who lends their analysis of ecosystem dangers to the feature) and are exploring even more ways to keep transactions secure.
As part of our ongoing commitment to keep our community safe and secure, we’re working with our friends @opensea and @blockaid_ on an experimental feature in @MetaMask that will warn users when interacting with known scams. pic.twitter.com/MPn9yE7utD— MetaMask 🦊💙 (@MetaMask) April 5, 2023
Exploration of XSS Vulnerability on Snyk Advisor
MetaMask Security’s Gal Wietzman discussed his investigation in “CVE-2023-1767 - Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score.”
“tl;dr - a stored XSS in Snyk Advisor (domain:snyk.io) allowed me to fabricate the health score granted for packages in my control, which I leveraged into making it seem as my “malicious” package is in fact healthy, popular and legitimate, which could have served an attacker to convince others to install an actual malicious npm package.”
Monkey Drainer may be history, but Venom Drainer took its place almost overnight. Scam Sniffer has been keeping tabs, and released this report in early April:
New Scam as a Service Provider: Venom Drainer— Scam Sniffer (@realScamSniffer) April 3, 2023
💸 Drained $27M from ~15k victims, with the top 5 victims losing $14M
🐍 ~530 phishing sites created, targeting ~170 brands
🚨 Stats: https://t.co/6AHAgXskQD
Monumental Drainer Campaign Targets Crypto OGs
Mid-month, Taylor Monahan and Harry Denley from MetaMask dove into an extensive probe when it was discovered that a multichain offensive was targeting people who have been active in the ecosystem for years - many of them well versed in personal security. The keys in question were created between 2014-2022. This investigation is still ongoing.
For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭— Tay 💖 (@tayvano_) April 18, 2023
I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.
Its rekt my friends & OGs who are reasonably secure.
No one knows how. pic.twitter.com/MafntG7RkP
“The blockchain explorer will now hide zero-value token transfer displays on its website by default. The setting aims to prevent users from becoming victims of "address poisoning" hacks, in which attackers send virtually valueless tokens to a user's wallet addresses to bait them into sending tokens to a scam address.”
Tales of Caution
We’ve mentioned these types of scams before, but it’s always a good reminder to double check URLs, use bookmarks when possible, and generally avoid any sponsored content in Google searches. There are several ad blocking extensions available that can help minimize this issue.
Keep reading our latest stories
Developers, security news, and more