MetaMask Security Monthly: August 2023

The big news is a cross-collaboration of security experts in the space to create Seal 911.

by LukerSeptember 4, 2023

MetaMask had a presence at Defcon in Las Vegas and Ethereum Argentina. And we saw another real-world example of the kind of supply chain attack that LavaMoat can help mitigate.

Screenshot 2023-09-03 at 5.50.46 PM

Jean-Maurice-Émile Baudot and Baudot Keyboard. Baudot invented the first means of digital communication, Baudot code.

🎙️ MetaMask in the Security Ecosystem 🔎

Web3 Security Experts Launch Telegram Bot For DeFi Hack Victims

Security experts from MetaMask, along with those from Paradigm, Yearn, and Polygon, have teamed up to create an experimental Telegram bot hotline solution for users who are experiencing crypto emergencies. Our own Taylor Monahan and Harry Denley are pitching in on the project, dubbed Seal 911.

Snow stops playing nice - security first at the cost of everything else

The latest update on Snow from MetaMask's Gal Weizman: "Today marks a big day in the life of Snow, where we come to the mature realization that in order for the project to stop chasing defensive security it has to take some bold steps at the cost of adoption and functional behaviour."

Defensive Coding Workshop at Defcon's AppSec Village

Zibi and Kumavis led this workshop in Las Vegas. There's no recording, but you can check out the coursework and slides.

"Have you heard of software supply chain? Yes, that's the thing where it turns out you're responsible for what your app takes from the node_modules folder after all. Today we're going to assume all the auditing tools have failed and you've got malicious code running in your app's process. Whatever color your hat is, you better hold on to it."

Screenshot 2023-09-03 at 5.55.01 PM

We Shouldn't Trust Technology Intermediaries

Secure design specialist Antonela Debiasi took the Mainet stage at Ethereum Argentina to discuss the trust model in cryptocurrency networks, pointing out the difference between indicators of trust and indicators of corporate security.

Screenshot 2023-09-03 at 5.56.12 PM

Security Laboratory

  • LavaMoat monorepo is switching to npm workspaces and release-please for release management. Soon LavaMoat releases will be automated and much faster.
  • ScorchWrap webpack plugin supports multiple entry points and chunks. Enforcing policy on module requirements is now implemented. Remaining work for the first beta release includes getting the policy enforced on globals. LavaMoat GitHub PR
  • SES lockdown is being split into two stages, allowing for “Vetted Shims” to be applied to intrinsics after repair, but before freezing. Endo GitHub PR It should help compatibility and let us get past one of the final blockers to running MetaMask Mobile with lockdown.
  • SES on MetaMask mobile remains locking down pre-bundle and allowing for reflect-metadata as a trusted shim, as it is a direct dependency of our @consensys/on-ramp-sdk being used as a HOC provider wrapped around the Settings screen.

Typosquat of popular Ethereum package on npm sends private keys to remote server

Phylum reported in early August that they had been alerted to a series of suspicious npm publications, including “a typosquat of a popular cryptocurrency library and a dependency that contained the malicious code buried deep in a large file that most developers would never bother looking at.” This is precisely the type of supply chain attack that LavaMoat is meant to protect against!

Receive our Newsletter