MetaMask Security Monthly: August 2023
The big news is a cross-collaboration of security experts in the space to create Seal 911.
MetaMask had a presence at Defcon in Las Vegas and Ethereum Argentina. And we saw another real-world example of the kind of supply chain attack that LavaMoat can help mitigate.
Jean-Maurice-Émile Baudot and Baudot Keyboard. Baudot invented the first means of digital communication, Baudot code.
🎙️ MetaMask in the Security Ecosystem 🔎
Security experts from MetaMask, along with those from Paradigm, Yearn, and Polygon, have teamed up to create an experimental Telegram bot hotline solution for users who are experiencing crypto emergencies. Our own Taylor Monahan and Harry Denley are pitching in on the project, dubbed Seal 911.
Our experimental solution: a Telegram bot which anyone can use during emergencies to get in touch with trusted members of the security community and their extensive network of contacts.https://t.co/PpVfraqZrq— @samczsun.com (@samczsun) August 7, 2023
The latest update on Snow from MetaMask's Gal Weizman: "Today marks a big day in the life of Snow, where we come to the mature realization that in order for the project to stop chasing defensive security it has to take some bold steps at the cost of adoption and functional behaviour."
"Have you heard of software supply chain? Yes, that's the thing where it turns out you're responsible for what your app takes from the
node_modulesfolder after all. Today we're going to assume all the auditing tools have failed and you've got malicious code running in your app's process. Whatever color your hat is, you better hold on to it."
Secure design specialist Antonela Debiasi took the Mainet stage at Ethereum Argentina to discuss the trust model in cryptocurrency networks, pointing out the difference between indicators of trust and indicators of corporate security.
- LavaMoat monorepo is switching to npm workspaces and release-please for release management. Soon LavaMoat releases will be automated and much faster.
- ScorchWrap webpack plugin supports multiple entry points and chunks. Enforcing policy on module requirements is now implemented. Remaining work for the first beta release includes getting the policy enforced on globals. LavaMoat GitHub PR
- SES lockdown is being split into two stages, allowing for “Vetted Shims” to be applied to intrinsics after repair, but before freezing. Endo GitHub PR It should help compatibility and let us get past one of the final blockers to running MetaMask Mobile with lockdown.
- SES on MetaMask mobile remains locking down pre-bundle and allowing for reflect-metadata as a trusted shim, as it is a direct dependency of our @consensys/on-ramp-sdk being used as a HOC provider wrapped around the Settings screen.
Phylum reported in early August that they had been alerted to a series of suspicious npm publications, including “a typosquat of a popular cryptocurrency library and a dependency that contained the malicious code buried deep in a large file that most developers would never bother looking at.” This is precisely the type of supply chain attack that LavaMoat is meant to protect against!
Keep reading our latest stories
releases, security news, and more