MetaMask Security Monthly: August 2022

Ensuring MetaMask is safe, secure, and stable enough for continued viral growth.

by HermanAugust 26, 2022
Security report august

Security Lab


Initial experiments with adding LavaMoat style policy to Endo’s compartment mapper prove it can be done. A proof of concept of selectively endowing globals and access to dependencies completed successfully. The policy, as defined at load time or while creating an archive, is embedded into the compartment mapper and enforced during linking. Errors from missing globals happen no sooner than at runtime, but that’s simply a result of a global not being defined in the compartment. Further work includes:

  • Improvements to package identifiers.
  • Nested properties in policy globals.
  • Wrapping/unwrapping for this value of endowed functions.
  • More experimentation around built-ins attenuation.

LavaMoat Updates

  • Experimenting with denying access to powerful references even if a compartment was accidentally endowed with an object containing nested global reference.
  • Documentation refresh in progress.

LavaMoat > Snow

Snow, a LavaMoat initiative, is a tool to ensure recursive ownership of windows created within a webpage. Check out the repo here.

Snow has gone through a bit of testing and exploitation. Multiple vulnerabilities were patched, one of them triggered a major improvement in securing the inner workings of Snow, leading to a potential of using SES lockdown().

Ecosystem Safety and the Merge

There has been a notable effort on the part of scammers and phishers to take advantage of uncertainty and lack of technical understanding surrounding Ethereum’s upcoming Merge, and separate users from their tokens.

Sophisticated emails meant to look like trusted entities in the space have been circulating, encouraging users to “convert their ETH to ETH 2.0”, among other things. For our part, we’ve been doing our best to boost the signal on legitimate sources of information, on Twitter and the ConsenSys blog, for example.

Of course, the same old scams are still out there; we’ve written up a piece explaining the current iteration of honeypot scams that are making the rounds.

Incident Response

Reporting a Security Vulnerability

If you want to report a security issue, you can safely submit it to our HackerOne Bug Bounty Program at Therein, a human being will look at your report and give you a first response within 24 hours or less.


Since the launch of our bug bounty program on June 13th, we have received 171 reports. Our average time of first response is 5 hours. We have 5 resolved issues, 1 with Low Severity, 3 with Medium Severity, and 1 with High Severity. With a Medium Time to Repair (MTTR) of 44.4 days, we have awarded the reporters of these repaired issues with $22,000.


Receive our Newsletter