MetaMask Security Monthly: May 2022
This has been a big month, security-wise, at MetaMask; we’ll give you as much information as we can here, but watch this space for more updates that are in the pipeline.
News
Asset Reality
While recently announced by our parent company, ConsenSys, and Asset Reality themselves, we are so happy to tell you all in this monthly report that we, MetaMask, have partnered with Asset Reality. Their firm is a leading solution for recovering, managing, and accessing seized crypto and complex assets.
If you believe you were a victim of cryptocurrency fraud, you can visit this link to initiate a Funds Loss Investigation.
As per tradition, it is always good advice to be up to date on the fundamentals of Safety and Security regarding MetaMask.
HackerOne about to be launched
We are about to launch our Bug Bounty Program on HackerOne. Soon. This June.
Stay Tuned.
Research
Endo ecosystem compatibility
With April’s progress, our end-to-end test results began showing that the biggest culprits for running popular modules are in import.meta.url and __dirname support.
- A meeting between Agoric, MetaMask and Moddable resulted in an agreement on when in the module import process import.meta should be processed.
- The importMetaHook concept was introduced to the Compartment specification.
- importMetaHook will only be called if static analysis indicates the module is accessing import.meta. This is because node.js puts a resolve function there, but its creation is expensive. Therefore, it is best to only invoke the hook if its results may be used.
- The implementation of import.meta is complete. What remains is implementing the passing of import.meta.url into modules in Endo by default.
- The implementation of __dirname is complete, following many iterations to ensure correctness and Windows paths support.
import.meta issue with specs: https://github.com/endojs/endo/issues/291
import.meta implementation PR: https://github.com/endojs/endo/pull/1141
__dirname implementation PR: https://github.com/endojs/endo/pull/1155
If a package is a mix of CommonJS and ES modules, a package.json placed in a nested folder can change the default assumption about module type for *.js files. Support for this needed to be added to Endo so that compartment-mapper wouldn’t choke on packages with complicated structures intended to support both module specifications.
Source code: https://github.com/endojs/endo/pull/1134
__esModule behavior support is on hold because two attempts at implementing it to date both resulted in worse scores in end-to-end tests. Another attempt would be to put the support logic in ThirdPartyModuleInstance inside SES, which is controversial. The feature was put on hold for now.
Issue with history: https://github.com/endojs/endo/issues/927
Distributed Key Generation as a MetaMask snap in ECDSA-WASM
Progress has been made on MPC capabilities. We have taken the earlier PoC WebAssembaly (WASM) bindings and created a prototype snap, usable in MetaMask Flask, which demonstrates DKG and message signing. It supports exporting and importing key shares in addition to key generation and saving proofs for message signing.
Under the hood, the package leverages an implementation of GG2020 (Gennaro and Goldfeder 2020, https://eprint.iacr.org/2020/540.pdf), a protocol that supports a non-interactive online phase allowing for players to asynchronously participate in the protocol without the need to be online simultaneously, and allows the efficient detection of aborting parties.
The next steps are to make some improvements to the snap code; in particular, adding encryption support for snap_manageState so we don’t have to manage encryption of the key shares in the Snap code itself. Subsequently, we will be adding support for signing transactions.
Source code: https://github.com/LavaMoat/ecdsa-wasm
Join the Security Team!
The MetaMask Security Team is looking for Application Security Engineers.
What’s the Plan?
We are hardening our capacity for Incident Response. That is: When somebody finds and tells us about a vulnerability in one of our products, the Incident Response Team assesses the threat and risk, quickly investigates, and engages in resolving the issue. Additionally, the proactive side to this role is Threat Modeling, where we sit down and formalise trust boundaries, and how the MetaMask products and libraries comply with the information security CIA Triad (C, I, and A, respectively) and the AAA Framework.
What are we looking for?
Threat Modeling (Proactive):
Engineers seasoned in JavaScript and TypeScript, experienced in React Native, with a couple years’ experience in enterprise or startup environments. Team Players. Very fluent in Information Security conversation. Yes, that individual that ruminates on the security of their local supermarket, checks the security controls of their building where they live, and takes care of updating the software of all the devices at home.
Incident Response (Reactive):
We’re looking for people that can read an incident report, run the steps to reproduce the issues, and fix it. It’s that simple ;-)
Sounds interesting? Want in? Of course you want in!
So, these are the openings–take a look and apply:
Keep reading our latest stories
Developers, security news, and more