MetaMask Security Monthly: November 2022

More about LavaMoat, an argument for Snow JS, and a great chat on how MetaMask Snaps will be great for self custody!

by LukerDecember 7, 2022
November 2022

Security Laboratory

daphne oram Daphne Oram, at the BBC Radiophonic Workshop, 1958


  • November marks a lot of work done on new features in LavaMoat.
  • We’re rolling out Snow and globals scuttling, and applying them to the MetaMask extension. All LavaMoat users should now be able to use those.
  • We’ve introduced a brand new quadruply backflipped version of SES into LavaMoat with some powerful updates. It will roll out in the upcoming release.
  • One of the changes is domain taming in Node.js - it’s notable because some packages in the ecosystem still use this long-deprecated feature and it may cause some headaches here and there.
  • We’ve merged the initial version of Bin Confusion attack mitigation into lavamoat/allow-scripts and will soon make it available behind a flag. It will be available in the next release. More on Bin Confusion:
  • We’re working on a new CLI to help set up all LavaMoat tools in a repository by answering a few questions.


We were experimenting with getting Endo to power a bundler, resulting in some features and bugfixes.

  • Building a PoC general purpose bundler on top of Endo’s compartment-mapper has triggered a bunch of improvements in various parts of the Endo codebase.
  • Fixing a bug in how named reexports are handled.

DeFi Incident Database

The Threat Intelligence Team is working on a standardized data store for incidents in the decentralized finance (DeFi) space. Leveraging the STIX language, these records aim to be a source of truth, able to provide insights to both specialists and enthusiasts.

The Attacker is Inside:

🌋Javascript Supplychain Security and LavaMoat🌋

As promised, we bring you the talk Kumavis gave at Devcon last month! We all use open source; it is the wealth of the commons that forms the foundations we all build on. While this is incredibly empowering, we may be inviting the devil to dine with us. This talk examines software supplychain attacks in the javascript and crypto ecosystems and how to keep your app, wallet, and users safe with the free and open-source tool LavaMoat that protects MetaMask.

Integrating Snow ❄️ into MetaMask 🦊

The latest from Gal, who argues for integrating the new and advanced Snow JS browser security technology into the MetaMask browser extension.

Read all about it here!

foxy Created with DALL·E, an AI system by OpenAI

Snaps Can Improve Self-Custodial Security

If you aren’t yet familiar with Snaps, or if you want to get more involved as a developer, check out this recent Twitter Space chat, where Christian Montoya (MetaMask), Zen Yong (Web3Auth), and Chirag Titiya (Biconomy) go over how permissionless innovation for MetaMask can be used to help empower users to take control of their own funds and better protect their secret recovery phrases.

As Zen put it, “The FTX event ... could have had less of an impact on crypto in general if more people were to [practice] self custody.”

"Part of the motivation behind Snaps is that the MetaMask team alone can't possibly build all of the new functionality and innovations that are happening in the space ... we're seeing a lot of innovation happening around account management and we want to allow developers to build that innovation into MetaMask themselves. So, there's various proposals for how to manage accounts better, and I think that the ultimate goal is that when a new user come to MetaMask to set up their wallet ... they have multiple options that are much easier to use ... that will do a lot to prevent you from the the risk of what happens if you lose one of your keys or your account gets compromised." -Christian.

Cautionary Tales

  • You may have already heard about how phishers use Google Ads to trick people out of their crypto, as covered by The Verge last year, but make sure you’re also on the lookout for URLs that begin with “”
  • From Mashable:
  • “Phishing is a classic online scam tactic in which a bad actor copies the web designs of trusted websites, like a user's bank, in order to trick the individual into inputting their sensitive information so the scammer can access it. These scammers have found success creating these phishing websites on Google Sites.”
  • BleepingComputer has also reported on a malicious Chrome extension. It “isn't available on the official Chrome web store but is instead circulated through alternative channels, such as websites pushing fake Adobe Flash Player updates.”
  • And we’ve seen a few warnings about being careful with Telegram and trading bots:

Receive our Newsletter