Discover MetaMask Portfolio today. Track and manage your web3 assets in one place!
All posts

MetaMask Security Monthly: August 2022

Ensuring MetaMask is safe, secure, and stable enough for continued viral growth.

by HermanAugust 26, 2022
Security report august
  • Copied

Security Lab

Endo

Initial experiments with adding LavaMoat style policy to Endo’s compartment mapper prove it can be done. A proof of concept of selectively endowing globals and access to dependencies completed successfully. The policy, as defined at load time or while creating an archive, is embedded into the compartment mapper and enforced during linking. Errors from missing globals happen no sooner than at runtime, but that’s simply a result of a global not being defined in the compartment. Further work includes:

  • Improvements to package identifiers.
  • Nested properties in policy globals.
  • Wrapping/unwrapping for this value of endowed functions.
  • More experimentation around built-ins attenuation.

LavaMoat Updates

  • Experimenting with denying access to powerful references even if a compartment was accidentally endowed with an object containing nested global reference.
  • Documentation refresh in progress.

LavaMoat > Snow

Snow, a LavaMoat initiative, is a tool to ensure recursive ownership of windows created within a webpage. Check out the repo here.

Snow has gone through a bit of testing and exploitation. Multiple vulnerabilities were patched, one of them triggered a major improvement in securing the inner workings of Snow, leading to a potential of using SES lockdown().

Ecosystem Safety and the Merge

There has been a notable effort on the part of scammers and phishers to take advantage of uncertainty and lack of technical understanding surrounding Ethereum’s upcoming Merge, and separate users from their tokens.

Sophisticated emails meant to look like trusted entities in the space have been circulating, encouraging users to “convert their ETH to ETH 2.0”, among other things. For our part, we’ve been doing our best to boost the signal on legitimate sources of information, on Twitter and the ConsenSys blog, for example.

Of course, the same old scams are still out there; we’ve written up a piece explaining the current iteration of honeypot scams that are making the rounds.

Incident Response

Reporting a Security Vulnerability

If you want to report a security issue, you can safely submit it to our HackerOne Bug Bounty Program at hackerone.com/metamask. Therein, a human being will look at your report and give you a first response within 24 hours or less.

Metrics

Since the launch of our bug bounty program on June 13th, we have received 171 reports. Our average time of first response is 5 hours. We have 5 resolved issues, 1 with Low Severity, 3 with Medium Severity, and 1 with High Severity. With a Medium Time to Repair (MTTR) of 44.4 days, we have awarded the reporters of these repaired issues with $22,000.

Metrics

Receive our Newsletter

Keep reading our latest stories

Developers, security news, and more

All posts
Estimated Balance Changes (1)
Introducing estimated balance changes for clear transaction outcomes
With estimated balance changes, MetaMask users will get better insight into their send and receive amounts after submitting transactions.
by MetaMask, Kyle DetzJuly 25, 2024
token autodetection feature
MetaMask UI Update: Token Auto-Detection Now Available by Default on Extension
Token auto-detection is now enabled by default for new users on MetaMask Extension.
by MetaMaskJuly 11, 2024
Fiat toggle feature
MetaMask UX Update: Fiat Value Toggle in Testnets for Mobile Users
The new update introduces a toggle for fiat values on testnets enhancing awareness and preventing scams.
by MetaMaskJuly 3, 2024

Learn More

About
Developers
Download
MetaMask Institutional
News
Security

Get Involved

GitHub
Gitcoin
Open Positions
Swag Shop
Press & Partnerships

Legal

Privacy Policy
Terms of Use
Contributor License Agreement
Site Map
©2024 MetaMask • A Consensys Formation