MetaMask Security Monthly: January 2023

Happy new year! Kick it off right by staying vigilant. This month, we’re looking at address poisoning attacks and read-only reentrancy. And of course, the latest update from the MetaMask Security Laboratory…

by LukerFebruary 3, 2023
security feature

Security Laboratory

Screenshot 2023-02-03 at 1.58.06 PM Scientist at a fast neutron chopper at the Brookhaven Graphite Research Reactor (BGRR), 1953


  • New features in @lavamoat/viz - now you can explore your dependencies in VR
  • Scuttling globals has been introduced into MetaMask extension development branch. MetaMask will soon ship with most powerful functionality removed from window of the extension UI by default. As a result, even if a malicious React component could find a way to reach window, the powerful functions would already be gone.
  • @lavamoat/snow security tool for realms now supports all major browsers in its latest release. By relying on the new version, MetaMask now has full visibility to all realms on both Chrome and Firefox.
  • Introducing @lavamoat/lavatube - a new tool in the LavaMoat toolbox allowing you to recursively visit every property of every value accessible from any given starting reference. In our research team we already use LavaTube to identify dangerous leakages made by objects and APIs we are trying to defend in our apps!


  • Final review of the first iteration of LavaMoat-style policy support is in progress. Minor features need to be added after that for full feature parity with LavaMoat policies, but no breaking changes are planned.
  • An early implementation of a secure bundler which controls scopes without relying on eval is also in review.

💀 Address Poisoning 💀

Can you spot the difference between these two addresses?

Screenshot 2023-02-03 at 2.01.37 PM

No? That’s what the scammers are counting on! There are a lot of letters and numbers in these hexadecimal addresses. Read more about how to avoid falling for the address poisoning that has been on the rise.

Deep Dive on Read-Only Reentrancy

Check out this well-thought-out Twitter thread on an attack vector that Solidity devs need to be aware of. We see you, @bytes032!

We look forward to seeing more from the new Web3Security DAO’s participants, like @bytes032, which has a state mission to “...empower individuals to excel in the field of web3 security by fostering a supportive and collaborative learning environment…”

Tales of Caution

Friendly reminder from our friends at Wallet Guard - be careful with downloads.

And for you gamers out there:

Receive our Newsletter