MetaMask Security Monthly: May 2023
More from Taylor Monahan on the investigation started last month into a mysterious hack targeting long-time crypto users. Imitators who aren’t flattering us. And Zbigniew Tenerowicz takes the stage to discuss LavaMoat.
Ada Lovelace, considered the Mother of the Computer, 1815-1852
- Merged 27 individual pull requests with dependency updates across LavaMoat packages. Updated versions included fixes for known vulnerabilities.
- Minor releases with updated dependencies and fixes for Node.js 18 compatibility
- Continued work on the ScorchWrap webpack plugin, with progress on including the runtime into the bundle itself and findings about compatibility with other plugins.
- Continued work on locking down MetaMask mobile, and dealing with uncaught exceptions when debugging with Chrome V8 in the form of TypeErrors from libraries, including ethjs.
- Progress on “scuttling” - the feature to disable access to common globals for the entire window incase endowments for a package were too wide.
- Improved cjs missing module error in compartment-mapper https://github.com/endojs/endo/pull/1580#pullrequestreview-1449297257
🗣️ Talks! 🎙️
MetaMask’s Zbigniew, or ZB for short, gave a talk in April for Node Congress in Berlin, and the anticipated video has been posted!
Check out his talk here.
From The Defiant: Maker of first Ethereum Wallet Taylor Monahan Explains $10M Hack and How to Stay Safe in Crypto
In April, Taylor Monhan and Harry Denley from MetaMask began an investigation into a massive multichain offensive that targeted crypto veterans. Along with breaking down the hack and tips on how to protect yourself, Taylor explores the concepts of “code is law” and “blockchain is immutable.”
This likely group of attackers used an unusual system, in that they swapped the assets that they were stealing within the victim’s wallet first before sending them to a DEX. The method used to breach the security of 300 individuals who had their recovery phrases exposed remains unknown, and it is assumed that the attack was not typical phishing activity.
Additionally, Taylor summarizes the evolution and current state of offenses and counter offenses in the space, as well as recommendations on how to be more secure, including using a hardware wallet and decentralizing your holdings by keeping them in multiple wallets.
Wallet Drain and Seedphrase Compromises
If your wallet does get drained, you don’t have to be a security research expert to try and figure out how. @Jon_HQ posted a thorough checklist on Twitter that can guide you through your own investigation.
Getting your wallet drained sucks, but getting drained and not knowing how is even worse.— Jon_HQ (@Jon_HQ) May 4, 2023
The following thread is a checklist of things to review if you get drained and can't figure out how.
This thread is best bookmarked and referred to later if you ever need it. pic.twitter.com/9K8vK1UPfF
🔍 Imposters 🔎
A consumer alert from the Federal Trade Commission warned the public to be extra cautious about messages supposedly from services related to crypto. When dealing with any unsolicited email, avoid the urge to act quickly, regardless of what the email says. Creating a false sense of urgency is a standard scam tactic, because the scammers are counting on panic to override critical thinking.
Don’t click on any links from unsolicited emails, and update your security software regularly.
“If you get a phishing email, forward it to the Anti-Phishing Working Group at firstname.lastname@example.org. Then tell the FTC at ReportFraud.ftc.gov.”
Emails from MetaMask impersonators only can be forwarded to email@example.com.
Many websites, emails, and social media profiles imitate MetaMask, attempting to access your accounts and steal your funds. This knowledge base article outlines how you can tell them apart from the real thing, as well as how to make sure you’re using the proper support channel.
Keep reading our latest stories
releases, security news, and more