Discover MetaMask Portfolio today. Track and manage your web3 assets in one place!
All posts

MetaMask Security Monthly: October 2022

Whoo, we’ve been busy this month! We have some Devcon talks, new articles, and community outreach coming your way!

by MetaMaskSeptember 30, 2022
Security report october
  • Copied

Security Laboratory

Endo

“Quadruple backflip” has landed and was released. We’re looking into introducing the new version of SES into LavaMoat.
https://github.com/endojs/endo/pull/1293 https://github.com/endojs/endo/releases/tag/ses%400.17.0

Meanwhile, we’re also working on introducing LavaMoat-style policies to Endo to allow granular control of powers per package. Current proof of concept allows listing globals and builtins, where builtins can be programmatically attenuated (limited in API or functionality).

LavaMoat

  • Latest release of @lavamoat/allow-scripts now supports configuring Yarn3 based projects out of the box, with more improvements pending.
  • We’ve introduced a programmatic API to lavamoat so now with require('lavamoat') it can be used from within a node application or script, not only as a command.
  • We’ve introduced scuttling of globals — global powers are being captured for endowing according to the policy and then the original global references are being removed so it’s harder for the end user to accidentally pass an indirect reference to them to a package.
  • We’re very close to providing a protection against the recent hack devised by our friends at socket.devhttps://socket.dev/blog/npm-bin-script-confusion

🤩Usable Security in Web3 😎

We had a blast seeing everyone at Devcon! Watch Antonela rock the main stage with this talk how to balance security and usability in product design.

Stay tuned, because we’re going to be sharing the LavaMoat talk Kumavis gave next time. Here’s a sneak peak…

LavaMoat talk Kumavis

Using LavaMoat To Solve Software Supply Chain Security

But if you can’t wait that long, you can read all about it here!

What is a realm in JavaScript?

We’re also proud to share this deep dive from Gal on the ecosystems in which a JavaScript programs live. Check it out

MetaMask Community Call: Security Essentials

Last but definitely not least, the MetaMask community team lead this awesome security 101 call that had over 4000 attendees! Watch it for yourself, and share it with your friends.

Receive our Newsletter

Keep reading our latest stories

Developers, security news, and more

All posts
Estimated Balance Changes (1)
Introducing estimated balance changes for clear transaction outcomes
With estimated balance changes, MetaMask users will get better insight into their send and receive amounts after submitting transactions.
by MetaMask, Kyle DetzJuly 25, 2024
token autodetection feature
MetaMask UI Update: Token Auto-Detection Now Available by Default on Extension
Token auto-detection is now enabled by default for new users on MetaMask Extension.
by MetaMaskJuly 11, 2024
Fiat toggle feature
MetaMask UX Update: Fiat Value Toggle in Testnets for Mobile Users
The new update introduces a toggle for fiat values on testnets enhancing awareness and preventing scams.
by MetaMaskJuly 3, 2024

Learn More

About
Developers
Download
MetaMask Institutional
News
Security

Get Involved

GitHub
Gitcoin
Open Positions
Swag Shop
Press & Partnerships

Legal

Privacy Policy
Terms of Use
Contributor License Agreement
Site Map
©2024 MetaMask • A Consensys Formation