MetaMask Security Monthly: November 2022
More about LavaMoat, an argument for Snow JS, and a great chat on how MetaMask Snaps will be great for self custody!
Daphne Oram, at the BBC Radiophonic Workshop, 1958
- November marks a lot of work done on new features in LavaMoat.
- We’re rolling out Snow and globals scuttling, and applying them to the MetaMask extension. All LavaMoat users should now be able to use those.
- We’ve introduced a brand new quadruply backflipped version of SES into LavaMoat with some powerful updates. It will roll out in the upcoming release.
- One of the changes is domain taming in Node.js - it’s notable because some packages in the ecosystem still use this long-deprecated feature and it may cause some headaches here and there.
- We’ve merged the initial version of Bin Confusion attack mitigation into lavamoat/allow-scripts and will soon make it available behind a flag. It will be available in the next release. More on Bin Confusion: https://socket.dev/blog/npm-bin-script-confusion
- We’re working on a new CLI to help set up all LavaMoat tools in a repository by answering a few questions.
We were experimenting with getting Endo to power a bundler, resulting in some features and bugfixes.
- Building a PoC general purpose bundler on top of Endo’s compartment-mapper has triggered a bunch of improvements in various parts of the Endo codebase.
- Fixing a bug in how named reexports are handled.
DeFi Incident Database
The Threat Intelligence Team is working on a standardized data store for incidents in the decentralized finance (DeFi) space. Leveraging the STIX language, these records aim to be a source of truth, able to provide insights to both specialists and enthusiasts.
The Attacker is Inside:
Integrating Snow ❄️ into MetaMask 🦊
Created with DALL·E, an AI system by OpenAI
Snaps Can Improve Self-Custodial Security
If you aren’t yet familiar with Snaps, or if you want to get more involved as a developer, check out this recent Twitter Space chat, where Christian Montoya (MetaMask), Zen Yong (Web3Auth), and Chirag Titiya (Biconomy) go over how permissionless innovation for MetaMask can be used to help empower users to take control of their own funds and better protect their secret recovery phrases.
As Zen put it, “The FTX event ... could have had less of an impact on crypto in general if more people were to [practice] self custody.”
"Part of the motivation behind Snaps is that the MetaMask team alone can't possibly build all of the new functionality and innovations that are happening in the space ... we're seeing a lot of innovation happening around account management and we want to allow developers to build that innovation into MetaMask themselves. So, there's various proposals for how to manage accounts better, and I think that the ultimate goal is that when a new user come to MetaMask to set up their wallet ... they have multiple options that are much easier to use ... that will do a lot to prevent you from the the risk of what happens if you lose one of your keys or your account gets compromised." -Christian.
- You may have already heard about how phishers use Google Ads to trick people out of their crypto, as covered by The Verge last year, but make sure you’re also on the lookout for URLs that begin with “sites.google.”
- From Mashable:
- “Phishing is a classic online scam tactic in which a bad actor copies the web designs of trusted websites, like a user's bank, in order to trick the individual into inputting their sensitive information so the scammer can access it. These scammers have found success creating these phishing websites on Google Sites.”
- BleepingComputer has also reported on a malicious Chrome extension. It “isn't available on the official Chrome web store but is instead circulated through alternative channels, such as websites pushing fake Adobe Flash Player updates.”
- And we’ve seen a few warnings about being careful with Telegram and trading bots:
Hearing that there’s a new Trojan going around in telegram that can automatically download to your phone through an easy-to-miss automatically on setting.— Big D (@bigdsenpai) November 10, 2022
Don’t get hacked, do the stuff in the below image ASAP for both Cellular and Wifi imo. pic.twitter.com/D0kxTqC4oo
Statement following our analysis into @AlchemyTrades and the encryption of Private Wallet keys within trading bots.— AnalysisOnChain (@AnalysisOnChain) November 10, 2022
Trading bots are all the rage right now but you might be putting yourself at risk if you do not take care.
Here is what we learned ⬇️🧵
Keep reading our latest stories
releases, security news, and more