MetaMask Security Monthly: January 2023
Happy new year! Kick it off right by staying vigilant. This month, we’re looking at address poisoning attacks and read-only reentrancy. And of course, the latest update from the MetaMask Security Laboratory…
Scientist at a fast neutron chopper at the Brookhaven Graphite Research Reactor (BGRR), 1953
- New features in
@lavamoat/viz- now you can explore your dependencies in VR
- Scuttling globals has been introduced into MetaMask extension development branch. MetaMask will soon ship with most powerful functionality removed from
windowof the extension UI by default. As a result, even if a malicious React component could find a way to reach
window, the powerful functions would already be gone.
@lavamoat/snowsecurity tool for realms now supports all major browsers in its latest release. By relying on the new version, MetaMask now has full visibility to all realms on both Chrome and Firefox.
@lavamoat/lavatube- a new tool in the LavaMoat toolbox allowing you to recursively visit every property of every value accessible from any given starting reference. In our research team we already use LavaTube to identify dangerous leakages made by objects and APIs we are trying to defend in our apps!
- Final review of the first iteration of LavaMoat-style policy support is in progress. Minor features need to be added after that for full feature parity with LavaMoat policies, but no breaking changes are planned.
- An early implementation of a secure bundler which controls scopes without relying on
evalis also in review.
💀 Address Poisoning 💀
Can you spot the difference between these two addresses?
No? That’s what the scammers are counting on! There are a lot of letters and numbers in these hexadecimal addresses. Read more about how to avoid falling for the address poisoning that has been on the rise.
Deep Dive on Read-Only Reentrancy
Check out this well-thought-out Twitter thread on an attack vector that Solidity devs need to be aware of. We see you, @bytes032!
Allow me to unveil the enigmatic concept of read-only-reentrancy.— bytes032 (@bytes032) January 20, 2023
Recently, a new exploit utilizing this vulnerability came to light, spurring me to dedicate the last 48 hours to curating an enlightening 🧵 for the benefit of the entire community to grasp its nuances.
We look forward to seeing more from the new Web3Security DAO’s participants, like @bytes032, which has a state mission to “...empower individuals to excel in the field of web3 security by fostering a supportive and collaborative learning environment…”
Tales of Caution
Friendly reminder from our friends at Wallet Guard - be careful with downloads.
This was fixed on Nov 29th in Chrome 108.— Wallet Guard (@wallet_guard) January 15, 2023
This vulnerability also required a user to visit a fake crypto wallet website to then "download" their recovery phrase. This would then allow them to take advantage of Symbolic Link files.
Simply put, don't download random files. pic.twitter.com/pTjv3YmDXk
And for you gamers out there:
After the malvertising crypto ads campaigns, I think we'll see a resurgence of RATs— harry.eth 🦊💙 (whg.eth) (@sniko_) January 17, 2023
"I'm a rep of this metaverse game, can you test it for us please, we'll give you free tokens for the game.
Then after that, defi phishing to steal tokens
Keep reading our latest stories
releases, security news, and more