MetaMask Security Monthly: April 2023

The Security Lab team has been hard at work and there have been multiple security research investigations. Plus: exciting news about a new transaction security feature!

by LukerMay 1, 2023
sec feature

Security Laboratory


Screenshot 2023-05-01 at 4.08.56 PM

Michael Faraday, contributor to the fields of electromagnetism and electrochemistry, c. 1850s

Endo


  • exitModuleImportHook has been renamed to importHook and awaits merging in compartment-mapper.
  • SES 0.18.3+ now includes previously mentioned React Native Android JSC fix regarding nonstandard AsyncGenerator and AsyncFunctionPrototype.
  • Exploration on BigInt compatibility with MetaMask mobile libraries was completed to determine the best path forward for mobile, while evaluating SES compatibility. The big-integer shim does not yet fully support @ethereumjs/util. React-native-v8 is fully compatible, but has a blocking performance issue open. Hermes provides a working BigInt implementation but presents other compatibility issues for MM and doesn’t support the with statement necessary for SES.
  • Various TypeErrors with SES 0.18.3+ under investigation on RN 0.71.6 are getting us closer to locking down MetaMask mobile, which is currently being upgraded from 0.66.5, including RN 0.72.0-rc1.

LavaMoat


  • The LavaMoat team had representation at React Native London meetup and Node Congress Berlin - look out next month for the video of a talk given by our own Zbigniew Tenerowicz!
  • Last month’s approach to secure bundling worked. However, limitations were so severe that we had to go from loader to a plugin, and find a better stage in the bundling process for performing the wrapping of each module. The plugin PoC, codenamed ScorchWrap, is capable of seamlessly creating a basic bundle with real dependencies regardless of the types of code there (CommonJS, ESM, or built typescript). Further work is needed for compatibility with other plugins and large-scale testing.
  • Kicked off early research into SES compatibility with Hermes: https://github.com/facebook/hermes/issues/957
  • @lavamoat/allow-scripts Yarn Berry (3+) support has started
  • Presentations on React Native new architecture, including LavaMoat and locking down React Native, are underway

✨MetaMask Feature Highlight✨


OpenSea Transaction Security


This experimental, opt-in feature was announced on April 5, and has already been responsible for preventing over 4k transactions that would likely have resulted in lost funds! We’re excited about this cross collaboration between MetaMask, OpenSea, and Blockaid (who lends their analysis of ecosystem dangers to the feature) and are exploring even more ways to keep transactions secure.

Exploration of XSS Vulnerability on Snyk Advisor


MetaMask Security’s Gal Wietzman discussed his investigation in “CVE-2023-1767 - Stored XSS on Snyk Advisor service can allow full fabrication of npm packages health score.

“tl;dr - a stored XSS in Snyk Advisor (domain:snyk.io) allowed me to fabricate the health score granted for packages in my control, which I leveraged into making it seem as my “malicious” package is in fact healthy, popular and legitimate, which could have served an attacker to convince others to install an actual malicious npm package.”

Dastardly Drainers


Venom Drainer


Monkey Drainer may be history, but Venom Drainer took its place almost overnight. Scam Sniffer has been keeping tabs, and released this report in early April:

Monumental Drainer Campaign Targets Crypto OGs


Mid-month, Taylor Monahan and Harry Denley from MetaMask dove into an extensive probe when it was discovered that a multichain offensive was targeting people who have been active in the ecosystem for years - many of them well versed in personal security. The keys in question were created between 2014-2022. This investigation is still ongoing.

Good News


Coin Desk reports “Etherscan Reconfigures Blockchain Explorer Settings to Filter Out Potential Scams.

“The blockchain explorer will now hide zero-value token transfer displays on its website by default. The setting aims to prevent users from becoming victims of "address poisoning" hacks, in which attackers send virtually valueless tokens to a user's wallet addresses to bait them into sending tokens to a scam address.”

Tales of Caution


Google Search Ad Phishing Has Resulted In $4 Million Being Stolen


Screenshot 2023-05-01 at 4.09.16 PM

We’ve mentioned these types of scams before, but it’s always a good reminder to double check URLs, use bookmarks when possible, and generally avoid any sponsored content in Google searches. There are several ad blocking extensions available that can help minimize this issue.

Receive our Newsletter