MetaMask Security Monthly: December 2023

John Nash: Mathematician known for his fundamental contributions to GameTheory.

LavaMoat and the Ledger Software Supply Chain Attack

By now you’ve likely heard about the attack on Ledger Connect Kit that was estimated by researcher ZackXBT to have drained the equivalent of over USD 610,000 from users. To find out more about what happened, the importance of dependency management, and how LavaMoat can make products safer, read the write-up from MetaMask co-founder Kumavis.

Guard Your Wallet With Security Snaps

The list of security Snaps included in the MetaMask Snaps open beta is growing! Staying safe has never been more important. Learn how to protect your funds with 12 Snaps for security available right now on the MetaMask Snaps Directory:

• Wallet Guard: Protect your crypto with transaction insights and proactive security alerts
• Web3 Security: Integrates AnChain’s AI-powered Blockchain Ecosystem Intelligence scores into MetaMask
• Tenderly TX Preview: Preview transactions before sending them on-chain to get valuable insights, avoid failed transactions, and save funds
• Kleros Scout: Retrieve transaction insights using contract metadata from the Kleros Curate registries
• Forta: Automatically scans the addresses in your pre-signed transaction against Forta's database of known scammers
• Blockfence: Empowers you to evaluate the safety of your transactions before giving them a green light
• Saferoot: Intercepts dangerous transactions in real-time and instantly moves your assets to safety
• Assets Risk Detection: Detect risks of user assets with GoPlus Security
• TM ChainSafer: Offers transaction insight and security assessment to highlight transaction risk and increase transaction awareness
• Web3 Antivirus: Transact safely in Web3 with reports about scams and risks: honeypots, poisoning attacks, and more
• Quick Intel: Real-time token risk analysis across 28 blockchains
• Dedaub: Simulate transactions, verify the reputation and trustworthiness of involved accounts, and calculate the financial impact

Learn more about MetaMask Snaps and add Security Snaps to your web3 arsenal today!

🎙️ MetaMask in the Security Ecosystem 🔎

Global Crypto Networks and U.S. National Security at the Blockchain Association Policy Summit Monahan joins Consensys attorney Bill Hughes and a panel of experts from various U.S. government agencies to discuss North Korean hackers, crypto regulation policy, and more.

Enhance Your Wallet Security: How to Stay Safe in Web3 Christian Montoya recently joined Web3 Antivirus for an X (FKA Twitter) Space to further discuss how LavaMoat can protect against supply chain attacks like the Ledger incident, the Decentralized Infrastructure Network (DIN) being worked on by Infura, the dangers of eth-sign, and much more! Oh yeah, and of course MetaMask Snaps 😉.

Chris Blec Interviews Taylor Monahan

Not a football fan? No problem!

Spend Thanksgiving watching my crypto conversation with @tayvano_ of MetaMask!

Some of the topics:
• how MetaMask makes UX decisions
• are most hacks the fault of users themselves?
• how the MetaMask airdrop rumor got started
• more! pic.twitter.com/voFo6xb7t2

— Chris Blec (@ChrisBlec) November 23, 2023

Tales of Caution

KyberSwap Exploiter Demands Complete Control of Organization

Summary

The hacker responsible for the $46-million KyberSwap exploit has demanded "complete executive control" over the KyberSwap protocol in exchange for returning the stolen funds. The hacker's conditions, outlined in an on-chain message, include full authority over the company's governance mechanism, KyberDAO, and ownership of all company-related documents and assets. The hacker also promised to double employees' salaries, provide a 12-month severance package, and ensure tokenholders' investments would not be worthless.

How Users Can Protect Themselves

At the moment negotiations and law enforcement investigations are still ongoing. In the meantime, users must be cognisant of scammers claiming to represent the Kyberswap team. Stay informed of the latest developments using KyberSwap's official channels.

To mitigate the impact of future attacks, it's recommended to never invest more than you are willing to lose. There’s always a risk involved anytime you invest your tokens with a 3rd party.

HECO Bridge drained for $87M

Summary

The HTX exchange, formerly known as Huobi, suffered a security breach resulting in the loss of approximately 87 million in crypto assets. The bridge between HTX and Ethereum was exploited, with large amounts of ether, tether (USDT), and a wrapped version of bitcoin (HBTC) transferred to an unused Ethereum wallet. Blockchain security firms CertiK, Peckshield, and Cyvers suggest the bridge's private key was likely compromised. HTX Global's two hot wallets also lost funds. This incident follows a pattern of security issues in blockchain projects associated with board member Justin Sun, including a recent 100 million exploit at Poloniex, an exchange Sun acquired. It remains unclear if the two incidents are directly related.

How Users Can Protect Themselves

Justin Sun reported: “HTX will fully compensate for HTX’s hot wallet losses…All funds in HTX are secure and the community can rest assured.” Protocol operators are reminded to take wallet security and monitoring seriously. Incorporating multi-sig wallets and private key management for non multi-sig wallets is a very important step in your security posture especially in web3.

Tether (USDT) starts to blocklist addresses on the OFAC list

Summary Tether has announced a new voluntary wallet-freezing policy to combat activities linked to sanctioned individuals on the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) List. This initiative, which includes freezing wallets previously added to the SDN List, is part of Tether's ongoing commitment to creating a secure environment for users and working closely with global regulators and law enforcement agencies. Paolo Ardoino, CEO of Tether, believes this strategy will strengthen the positive use of stablecoin technology and enhance the safety of the stablecoin ecosystem for all users.

How Users Can Protect Themselves

It is recommended to familiarize yourself with the types of on-chain activities that could potentially lead to inclusion on this list. Furthermore, if you find yourself added to the list and believe it to be an error or unjust, you have the option to reach out to OFAC for clarification or rectification.