MetaMask Security Monthly: January 2023

Security Laboratory

Scientist at a fast neutron chopper at the Brookhaven Graphite Research Reactor (BGRR), 1953

LavaMoat

• New features in @lavamoat/viz - now you can explore your dependencies in VR
• Scuttling globals has been introduced into MetaMask extension development branch. MetaMask will soon ship with most powerful functionality removed from window of the extension UI by default. As a result, even if a malicious React component could find a way to reach window, the powerful functions would already be gone.
• @lavamoat/snow security tool for realms now supports all major browsers in its latest release. By relying on the new version, MetaMask now has full visibility to all realms on both Chrome and Firefox.
• Introducing @lavamoat/lavatube - a new tool in the LavaMoat toolbox allowing you to recursively visit every property of every value accessible from any given starting reference. In our research team we already use LavaTube to identify dangerous leakages made by objects and APIs we are trying to defend in our apps!

Endo

• Final review of the first iteration of LavaMoat-style policy support is in progress. Minor features need to be added after that for full feature parity with LavaMoat policies, but no breaking changes are planned.
• An early implementation of a secure bundler which controls scopes without relying on eval is also in review.

💀 Address Poisoning 💀

Can you spot the difference between these two addresses?

No? That’s what the scammers are counting on! There are a lot of letters and numbers in these hexadecimal addresses. Read more about how to avoid falling for the address poisoning that has been on the rise.

Deep Dive on Read-Only Reentrancy

Check out this well-thought-out Twitter thread on an attack vector that Solidity devs need to be aware of. We see you, @bytes032!

Allow me to unveil the enigmatic concept of read-only-reentrancy.

Recently, a new exploit utilizing this vulnerability came to light, spurring me to dedicate the last 48 hours to curating an enlightening 🧵 for the benefit of the entire community to grasp its nuances.

— bytes032 (@bytes032) January 20, 2023

We look forward to seeing more from the new Web3Security DAO’s participants, like @bytes032, which has a state mission to “...empower individuals to excel in the field of web3 security by fostering a supportive and collaborative learning environment…”

Tales of Caution

Friendly reminder from our friends at Wallet Guard - be careful with downloads.

This was fixed on Nov 29th in Chrome 108.

This vulnerability also required a user to visit a fake crypto wallet website to then "download" their recovery phrase. This would then allow them to take advantage of Symbolic Link files.

Simply put, don't download random files. pic.twitter.com/pTjv3YmDXk

— Wallet Guard (@wallet_guard) January 15, 2023

And for you gamers out there:

After the malvertising crypto ads campaigns, I think we'll see a resurgence of RATs

"I'm a rep of this metaverse game, can you test it for us please, we'll give you free tokens for the game.

[download game_client.exe]"

Then after that, defi phishing to steal tokens

— harry.eth 🦊💙 (whg.eth) (@sniko_) January 17, 2023