MetaMask Security Monthly: March 2024

Biologist and cytologist Kono Yasui, who in 1927 became the first Japanese woman to receive a doctorate in science.

🦊 What We’ve Been Up To 🦊

Snaps Stories

If you haven’t already, we invite you to try out the [Account Management Snaps](https://support.metamask.io/hc/en-us/articles/20069338322075-What-are-Account-Management-Snaps) open beta, featuring snaps created by Capsule, Safeheron, and Silent Shard.

While the Snaps open beta that began several months ago included a variety of security snaps, we have a newly added transaction simulation snap from DeFi Armor. Warnings are issued when a transaction fails DeFi Armor's curated and customizable security policy, along with a detailed explanation of what went wrong.

Happy Harpie’s ETHDenver hackathon project is a signature insight snap that decodes signatures and runs all addresses detected in signature payloads through Harpie to warn the user about malicious addresses. It also decodes Seaport NFT listing signatures and warns the user if the listing price is significantly below floor price. Signature insights will be available in MetaMask Flask (experimental developer playground) soon and in the stable extension in early Q2.

🎙️ MetaMask in the Security Ecosystem 🔎

MetaMask Security Spotlight at ETHDenver

MetaMask held a security spotlight event this month in Denver, joined by some of our friends from Alterya, Blockaid, Chain Patrol, Forta, Hexagate, Hypernative, Karma3 Labs, Paradigm, and Wallet Guard. A huge thank you to everyone who participated. Video recordings are now available to everyone!

MetaMask + WalletGuard State of Security X Event

This quarter’s X (FKA Twitter) event was co-hosted by Ian Wallis, Ohm Shah, and Michael K. Topics included:

• Future-Proofing
• Current & Future AI Threats
• Latest Social Engineering & Phishing Techniques
• Airdrops, Farming & Associated Risks
• Special edition coverage of ETHDenver security discussions

If you missed it, you can catch the recording here.

Blockfence's Blockchain Security Series ft. Taylor Monahan

Taylor joins Blockfence's Head of Security Research, Pablo Sabbetlla, to discuss the importance of builders to protect their users, love for white hat hackers, and details about a chain of attacks on older wallets that occurred last April. Hint: don't store your secret recovery phrase in a password manager. Additionally, Taylor and Pablo encourage you to do one small thing every day to make yourself more secure.

⚠️ Tales of Caution ⚠️

Inferno Drainer Compromised for $2.5M

Summary

On March 18, Inferno Drainer was compromised for $2.5M, diverting funds to 0x61640ff8B9D3C3726F1bF02319671061d9d61E1F. Security researcher ZachXBT shared a leaked message from an Inferno Drainer Customer group chat. It notified customers that the attacker had updated all customer addresses to the attacker's address. This means customers who performed a successful phishing attack on March 18 had the stolen funds redirected to the attacker's address instead of their customer's address.

How Users Can Protect Themselves

Although this was related to an off-chain compromise, the original $2.5M came from victims of phishing attacks. Users must exercise caution when clicking on links shared on social media platforms, as even accounts perceived as trustworthy have fallen victim to hacks, resulting in significant losses of funds. It is also highly recommended to keep substantial funds in hardware wallets, while wallets used for daily transactions should contain only minimal assets. Taking these steps can help safeguard against the loss of the majority, if not all, of your cryptocurrency holdings. Using different accounts for different transactions based on the level of risk can also mitigate against potential damages.

FTX and BlockFi users targeted in Email Phishing Campaign

Summary

FTX and BlockFi users lost more than US$ 7 million on the Ethereum mainnet the week of March 18 as they were targeted in a phishing campaign. The specific threat actor, 0x6C0e83422cD73fFD3A5EC4506638F6A0A8e22b38, used popular daas (drainer as a service) Pink Drainer to conduct the on-chain portion of the scheme. Many users signed a malicious signature or interacted with a malicious contract, resulting in their wallets being drained of crypto assets. It’s reported that the email list used in this campaign likely came from the Mailerlite compromise.

How Users Can Protect Themselves

Users must exercise caution when receiving emails asking them to connect their wallets and sign transactions. To prevent being scammed by impersonators, it is recommended that users check official communications from the organization. A simple search on BlockFi’s and FTX’s websites would have revealed that no official announcement allowed users to withdraw funds. Taking these steps can help safeguard against the loss of the majority, if not all, of your cryptocurrency holdings.

Curio’s MakerDao-Based Contract Exploited for $16M

Summary

On the weekend of March 23rd Curio Ecosystem broke the news that their MakerDao-based smart contracts on Ethereum were exploited. This resulted in a total loss of over $16M in crypto assets. All contracts on Polkadot and the Curio Chain itself remained secure. Curio recently posted its recovery strategy roadmap, highlighting that 100% of funds will be restored to users.

How Users Can Protect Themselves

Everyone who was a holder of Curio’s governance token was impacted. Unfortunately, this is a scenario where a user would not have been able to protect themselves from this attack, as it involved a vulnerability within Curios’ smart contracts. For those of you who are protocol developers, you can help prevent these attacks by ensuring your smart contracts are thoroughly audited. It's a best practice to have your smart contracts audited continuously with new releases. After completing an audit, projects should participate in a bug bounty program to incentivize researchers to find vulnerabilities in their contracts before threat actors do.