MetaMask Security Monthly: November 2023

Satyendra Nath Bose in 1925. Bose provided the foundation for Bose-Einstein statistics and the theory of the Bose-Einstein condensate.

🎙️ MetaMask in the Security Ecosystem 🔎

Ian Wallis Presented at Zuzalu’s ZuConnect Event in Istanbul

View the Security Considerations in Web3 slide deck!

MetaMask’s Taylor Monahan Teams up with ZachXBT to Investigate Last Pass Breach Crypto Losses

“According to research conducted by Monahan and ZachXBT, it is believed that the threat actors are cracking these stolen password vaults to gain access to stored cryptocurrency wallet passphrases, credentials, and private keys.”

Reminder for Dev Feedback on DNS Allowlist Solution

3rd party feedback call! In the past 3 yrs, over $125M has been extracted due to DNS hijacking and malicious content injection. MetaMask is adopting an on-chain calldata AllowList solution created by Yearn to mitigate this threat. More info/feedback form: https://t.co/ceAPByCL38

— MetaMask 🦊🫰 (@MetaMask) November 6, 2023

If You Haven’t Already Checked Out MetaMask’s Blockaid Integration And Security Snaps, You’re Missing Out on Valuable Security Enhancements

We're working tirelessly to provide multiple layers of security, backed by education and support.

Transaction Insights Snaps complement Blockaid alerts and shield your wallet even more.

Learn more here: https://t.co/ObyhUGKW80

— MetaMask 🦊🫰 (@MetaMask) November 2, 2023

Latest from the LavaMoat Team

• Released an update to @lavamoat/webpack with one big convenience improvement - now it adds the SES lockdown to the resulting dist automatically and provides an opt-in helper that integrates with html-webpack-plugin to embed it in the default HTML template too. Go to https://github.com/LavaMoat/LavaMoat/discussions/723 to leave your feedback or get support.
• LavaMoat on tour
  • NodeConfEU - an in-person workshop on defensive coding and lavamoat intro
  • React Advanced recording is now available to the general public - https://portal.gitnation.org/contents/i-run-code-from-the-internet-1520

Tales of Caution

Tether Freezes 225M USDT Linked to International Crime Syndicate

Summary

OKX, Tether, Chainalysis, ZachXBT, and the US Department of Justice collaborated to freeze 225M USDT linked to a human trafficking syndicate responsible for global pig butchering scams. This is the largest token freeze performed by Tether to date. Tether will work with lawful end users to unfreeze their wallets.

How Users Can Protect Themselves

To avoid pig butchering and or romance scams users should do the following:

• If it’s too good to be true, it probably is - Receiving an exchange of value significantly higher than what you give is a key indicator of a pig butchering scam.
• Be wary of unsolicited contact - If a stranger reaches out to you asking to exchange or to be sent money, you probably should not. The same goes for an online relationship where you have never met the person in real life.
• Start a conversation with our MetaMask support team - If you feel like you are about to be scammed, start a chat with our team before you decide to send any crypto. They can tell you if you are likely being pig-butchered.

Hacker Who Stole Over $130M Offered a $10M Bounty

Summary

Justin Sun’s Exchange, Poloniex, suffered what was believed to be a private key compromise in early November. This attack resulted in the loss of over $130M, coming out to be one of the largest hacks of the year and landing Poloniex on the Rekt leaderboard rank #16. The Poloniex team claims to have identified the attacker and offered to pay a $10M bounty if funds are returned. Law enforcement is threatening to take action if the attacker chooses to keep the funds.

How Users Can Protect Themselves

Poloniex announced that funds will be restored and users will soon have the ability to deposit and withdraw their funds. As a user, you should practice safe self-custody by withdrawing your tokens and preferably storing large/risky amounts on a cold wallet and smaller/less risky amounts on a hot wallet, such as MetaMask. Anytime an exchange is holding your crypto, they have full custody of how it can be handled. Always remember: “Not your keys, not your coins.”

For developers, admins, and any parties responsible for managing the wallets of other users: It’s important to incorporate the use of multi-signature wallets. In order for an attacker to successfully compromise the multi-signature wallet, every key manager would have to be compromised significantly reducing the risk of an attack.

Executives Lured on 'Business Trip' to Montenegro; Abducted and Forced to Empty Wallets. Total loss ~$12.5m.

Executives from a client were lured on a 'business trip' to Montenegro, where they were abducted and forced to empty their wallets. Total loss ~$12.5m.

We investigated the on chain activities and reached out to our partners earlier today to have the wallet frozen, as all of the…

— CZ 🔶 BNB (@cz_binance) November 10, 2023

How Users Can Protect Themselves

• Never disclose (especially brag) about any crypto holdings to anyone who doesn’t strictly need to know. Your granny, barber, or best friend from high school may be impressed but loose lips dramatically increase your threat profile.
• Diversify when reasonable, keeping different amounts in appropriate places. Connect a hardware wallet to MetaMask to achieve a good security balance for many activities. Then research and consider multisig and/or paper wallets not connected in any way to your identity that are only known by the people you trust most. For multisigs, keep geographic distance and necessary opsec between keyholders.
• Don’t allow direct access to more funds than you need to transact with or can afford to lose on devices you carry on you (laptop/phone). Heading on vacation and don’t plan to use/trade anything from your large cold wallet? Leave absolutely everything needed to access it somewhere safe while you’re gone, and definitely don't bring it on the trip.