MetaMask Security Monthly: March 2023

If you had to take away just one lesson from March, it would be to remain cautious about airdrops. They have been an integral part of our ecosystem’s culture, but that means they also attract scammers.

by LukerApril 5, 2023
security feature

Security Laboratory


Screenshot 2023-04-05 at 2.13.46 PM Faith Lillibridge at the NORC console fifth floor, Columbia University Watson Lab, 1954.

Endo


  • Our attempts at plugging into webpack transforms without compromising the original import/export statements have been unsuccessful, unless we deconstruct webpack and utilize some of its parts as a framework for creating a bundler. However, we have decided to halt this endeavor and seek a more simplified solution. Therefore, we are experimenting with a new method in LavaMoat (see below).
  • The latest update to Endo compartment-mapper includes exitModuleImportHook, which allows for the dynamic importing of exit modules instead of requiring users to provide a pre-built list. This is the final significant feature required for compartment-mapper to serve as the backend for lavamoat-node.
  • Endo SES whitelist has received a minor update for React Native Android JSC in https://github.com/endojs/endo/pull/1511, bringing an old issue to a close https://github.com/endojs/endo/issues/660 (more recently https://github.com/LavaMoat/docs/issues/16) and being further looked into in https://github.com/react-native-community/jsc-android-buildscripts/issues/181.

LavaMoat


  • We are exploring an alternative method to secure bundling by utilizing a webpack loader to implement compartmentalization and adding the essential runtime later. This approach maintains the unchanged layers above the loaders, enabling most features such as treeshaking to operate seamlessly. However, the main hindrance to its success is the likelihood of custom plugins altering the code in unforeseen manners.
  • The scuttling security feature, which was introduced a while ago (#360), can now be applied to all potential same-origin child realms (eg. iframes) in the browser by configuring the experimental “scuttleGlobalThis” option combined with Snow (check out the progress #462.
  • React Native support has been resurrected/revived, beginning (again) with Endo SES lockdown integration (originally for RN v0.66.5), but now with RN v0.71.4 and MetaMask mobile app integration underway. Progress tracking epic: https://github.com/LavaMoat/docs/issues/12
  • Minor update to LavaMoat Browserify examples have be viewed in https://github.com/LavaMoat/LavaMoat/pull/476

🗣️ Talks! 🎙️


Better Dapps with Delegatable by Dan Finlay

Dan made his debut appearance at EthDenver by sharing his vision for how delegating can make building dapps safer and easier!

“There are a lot of people claiming airdrops and then getting all their money taken. That's been kind of a repeating pattern … Delegatable lets you do anything you can do on a contract to another account. It's got an open-ended caveat system so you can attenuate the ability you're sharing in any way you want. And that can let you keep hot wallets cooler by limiting what they can do while allowing them to still do stuff on chain.”


JS Realms, Security Blank Spot by Gal Weizman

Join Gal as he discusses the increasing dangers of supply chain attacks that are associated with dependencies, and how Snow JS can help cover your back!

Topics include:

  • Evolution of the web
  • The importance of security and visibility
  • Third-party solutions
  • JavaScript Realms
  • Snow JS

Watch out for airdrop scams!


There has been a lot of dubious activity surrounding airdrops recently. MetaMask published an article in February about the dangers of rugpulls and airdrops, and we’d like to remind you that, as exciting as “free money” sounds, there are a number of ways that bad actors can use the practice to their advantage.

Always make sure you're getting your information from the source. When unfounded rumors started popping up on social media that MetaMask was going to be taking a snapshot and/or airdrop on March 31, we alerted the community. Go to the source and be skeptical of internet strangers claiming to have “insider information.”


Days before the Arbitrum airdrop, an announcement was made by @ArkhamIntel when it was discovered that around 2400 wallets were targeted in anticipation of the event. In the aftermath, Coinbase covered just how many things can go wrong, with their coverage Arbitrum Shows Just How Messy (and Tricky) Crypto Airdrops Can Be.


Other stories about airdrop scams that occurred just in March include Polkadot, ShibaInu, and OpenAI DEFI (GPT-4).

Tales of Caution




Function Signatures - Known Malicious


And finally, you can view a basic rundown of how many of Monkey Drainer/Venom Drainer "Security Updates" contracts are deployed, victims count, total ETH and total USD / daily & total. Refresh the queries for current numbers. Brought to you by BlockmageAlchemyst.

Receive our Newsletter