MetaMask Security Monthly: July 2023

This month we take an extensive look at pig butchering and mining scams, a new fake approvals scam, and npm malware that targets people who work in the crypto space. Plus, a presentation on Menpo at DeFi Security Summit and more updates on LavaMoat, including a thread continuation on X (formerly Twitter).

Josephine Jue, mathematician and aerospace technologist for NASA

🎙️ MetaMask in the Security Ecosystem 🔎

Herman Junge on Menpo at DeFi Security Summit, 2023 Menpo is a project the MetaMask security team is working on to standardize the cataloging of DeFi incidents using STIX 2.1. The brainchild of Herman, this initiative promotes cross-organizational collaboration among security analysts and researchers in the interest of enriching the threat intelligence landscape.

Gal Weizman Shares Scuttling and Snow With the World Continuing the thread from last month’s blog, Gal completes his three-part X (formerly Twitter) series on how Scuttling and Snow by LavaMoat beef up MetaMask’s supply chain security - and can do the same for your app!

MetaMask 🦊 is an amazing app for many reasons.

One reason I like especially is that even though it works just fine, the window object of the app is (almost) unusable!

If you're into Browser JavaScript security, come learn about what we call "scuttling" - by LavaMoat 🌋

Well.. pic.twitter.com/uJ8oLxVizH

— Gal Weizman (@WeizmanGal) June 30, 2023

Taylor Monahan’s Dune Dashboard on USDT Approval Mining, Liquidity Mining & Shāz Hū Pán (“Pig Butchering”) Scams in which bad actors use long cons in order to lure victims into a false sense of security with the promise of investment returns are on the rise. These catfishing schemes, which frequently involve a romantic angle, originated in China and have been dubbed shāz hū pán, or "pig butchering," because the perpetrator will "fatten" up the target, stringing them along before the slaughter.

Taylor put together a comprehensive overview in a Dune dashboard that “attempts to capture the magnitude of these scams via hard data pulled directly from the blockchain and people's stories, told in their own words.”

From the dashboard: “These scammers are onboarding more people to crypto than any legitimate crypto organization. All in order to steal their money.” It’s a fascinating albeit sad and scary read.

More on Mining Scams

Fake “Mining” Scams: a Familiar Foe in a New Disguise This Consensys blog article by Joel Willmore breaks down how you can recognize these scams, how they work, and what you can do to stay safe, particularly by understanding and safeguarding token approvals. It includes another Dune dashboard by MetaMask’s Harry Denley that displays

Fake 'Mining' Voucher Scams MetaMask Support Article If you’re short on time, this article is a more concise look at mining scams.

Security Laboratory

LavaMoat Update

• Zibi will be leading a Defensive Coding workshop for DefCon AppSec Village. No spoilers yet. Join us there!
• ScorchWrap webpack plugin now uses @lavamoat/aa to identify packages in dependencies and enforce policy on importing them. Further work on webpack-emulated builtins (like buffer or crypto) is necessary.
• We made an attempt to support Snow with some Content Security Policy recommendations. The effectiveness of CSP on iframe srcdoc was underwhelming. Next steps include limiting the features of DOM APIs that take text strings as input to provide better security at the cost of some dated frontend engineering practices not being supported.
• Contributed to conversations about introducing more explicit scheme handling to EIP-4361 and came up with the algorithm recommendation https://eips.ethereum.org/EIPS/eip-4361#verifying-the-request-origin
• Finally merged the exitModules hook in Endo https://github.com/endojs/endo/pull/1507

Tales of Caution

Revoke,cash highlighted a new fake approvals scam that involves airdropped “gas tokens” that trick users into thinking they have suspicious transaction approvals that need to be revoked. “But the scammers programmed these fake tokens so that it mints a lot of gas tokens during a revoke transaction. These gas tokens are then sent to the scammers, who can sell them. This is scary because your wallet popup will not show that you're sending funds, just a high fee,” according to Revoke.cash. In response, the extension has added a “check that disables revoking approvals if there's an excessive gas fee.” Their recommended best course of action is to ignore unexpected transactions with very high gas fees.

Yesterday, we received reports of people seeing unknown approval transactions in their transaction history.

It turns out that this is a new scam where scammers use so-called gas tokens to steal money when victims revoke these "fake approvals". pic.twitter.com/vpY2sGIv0T

— Revoke.cash (@RevokeCash) July 9, 2023

From Socket: Social engineering campaign targeting tech employees spreading through npm malware. “The Lazarus Group launched a sophisticated social engineering campaign targeting developers in the cryptocurrency and cybersecurity sectors, using compromised accounts and malware-laden NPM packages.” This article dives into an explanation of how the attack chain works, ways to protect yourself, and a list of known malicious npm packages.

Immunifi’s op 10 Most Common Vulnerabilities In Web3 “In this article, we will explore the top ten most common smart contract vulnerabilities that developers and auditors should be aware of in order to build secure and robust smart contracts.”

Friendly reminder from Taylor on RugRadio on why users should get hardware wallets, the low-tech best practice of storing your secret recovery phrase on paper, and decentralizing your funds storage.

Our partner @MetaMask's very own @tayvano_ gives us her top tips on keeping your bag secured while using the leading web3 wallet🦊 pic.twitter.com/b1WjqoJRlW

— Rug Radio (@RugRadio) June 20, 2023

Some Good News and Some Bad News

Crypto Crime Mid-year Update from Chainalysis The tl;dr is that crypto-related crime is down by 65%, but targeted ransomware is trending upwards.