MetaMask Security Monthly: October 2023
Countries all over the world recognized Cybersecurity Awareness Month in October. We hope you were able to stay extra safe, but remind everyone to stay vigilant every day of the year.
Victor Frankenstein’s laboratory from the 1931 film. Happy Halloween!
MetaMask, in collaboration with Blockaid, a leading web3 security provider, launched security alerts that help stop malicious transactions before they happen, protecting users from scams, phishing, and hacks. MetaMask and Blockaid developed a privacy-preserving module to simulate transactions while removing the need for users to share data with third parties. Based on previous trends, when available to 100% of the MetaMask users, these alerts aim to prevent billions worth of assets from being stolen.
🚧What We’ve Been Working On🚧
We want to encourage developers to try out the plugin and report any incompatibilities with the webpack config or tools you use. It should be plug-and-play with some configurations of what to exclude when processing assets to avoid clashing with the css-extract plugins and such.
Open Beta is the only time where you can get free direct support on your LavaMoat integration, so don't hesitate to get in touch! Start a discussion thread here if you're trying it out and share your experience and showcase results.
Christian Montoya from MetaMask Snaps joins Christian Seifert and Andrew Beal from Forta to discuss web3 security and the Forta transaction insight Snap.
“The purpose of the Forta Snap is to protect you from scams. The way that it works is that it will screen your transaction before you grant an approval and before you sign it, and it will warn you if an entity that you are interacting with in that transaction is malicious." - Andrew Beal
The snap will return one of two possible warnings: high risk indicates a malicious entity, and low risk means you're probably safe. It was pointed out in the discussion that we hear a lot about large protocol attacks, but the routine attacks on individuals is just as critical to the ecosystem. One user in particular posted about how thankful they were to have been using the Forta snap:
This collaborative document is intended to serve investigators, exchanges, and crypto product builders who find themselves in the unfortunate position of interacting with users who have fallen victim to a pig butchering scam. Current contributors are the MetaMask Security and Trust & Safety teams, as well as investigators from CryptoForensic.
Pig butchering, or sha zhu pan, scams have been on the rise, and occur when bad actors engage in an online relationship with their victims. Many times, the relationships are romantic in nature, but can also be platonic. As the scammer has taken painstaking months to build up a rapport with the victim, the victim often doesn’t realize that the person they trusted has stolen from them.
The runbook covers what facts indicate the user has been affected by one of these scams, what questions to ask, and how to most effectively coach them into mitigating further losses.
- We have released an early version of LavaMoat Webpack plugin. It is capable of wrapping your code in compartments and adhering to a basic policy. While missing some convenience, it’s ready for you to test compatibility with your project! You can now get it:
npm i @lavamoat/webpackGo to https://github.com/LavaMoat/LavaMoat/discussions/723 to leave your feedback or get support.
- New major releases of all LavaMoat packages are out. The breaking change is they no longer support Node.js v14.
- LavaMoat on tour:
- React Advanced - online - https://portal.gitnation.org/contents/i-run-code-from-the-internet-1520 - Webpack Plugin announced.
- The Hack summit - Warsaw - https://thehacksummit.com/en/
- We are improving the quality of our typings, but much more of that is coming.
- A recent vulnerability was resolved by upgrading to MacOS 13.5.2+ prompted MetaMask Mobile support for Xcode 15 and upgrading to React Native 0.71.14. Now merged, lockdown is undergoing final testing on iOS (JSC), followed by lockdown on Android (Hermes).
Tales of Caution
On October 17, a subset of Fantom Foundation (Fantom) wallets were drained due to private key compromise. Fantom initially broke the news in their Telegram channel claiming the fund loss was the result of a Chrome zero-day exploit, but have not released any supporting evidence. Using on-chain analysis(1, 2, 3) we assess with moderate confidence this attack resulted from compromised private keys. Since this fund loss incident impacted multiple wallets at the same date and time, we can determine that it was unlikely for each key holder to have fallen victim to a phishing attack on the same date and time. Fantom later disclosed in an official statement on X saying that only 550K out of the total $7 million stolen belonged to Fantom Foundation, but never gave any new details shedding light on how the attack occurred.
How users can protect themselves
User’s funds are safe as this hack only affected employee wallets. I would still advise user’s to keep a close watch on Fantom Foundation and how they handle this situation. It would also be a great idea for both developers and user’s to follow Tay’s advice 👇
- Practice good OPSEC - Use MFA, hardware wallets, and don’t download random things from the internet.
- Don’t put all your eggs in one basket - Distribute assets to different wallets and be sure to rotate your keys(ie, Don’t use keys of 7+ years or seeds that has been used on multiple devices)
- Separate Concerns - Signing transactions for high value accounts should NOT be done on the same device used for casual browsing, messaging, etc.
This is your weekly, weekend reminder that every credential you had in LastPass at this time last year should be considered compromised.— Tay 💖 (@tayvano_) October 22, 2023
Please prioritize rotating your most valuable / oldest secrets + migrating assets today.
Non-LastPass users should honestly do the same.
Threat actors who launch nasty info stealer campaigns are now storing their malicious payloads on Binance Chain. Info stealing malware is designed to steal banking information, login credentials, and credit card information without victims detecting a trace of the malware.
Threat actors are pivoting from using traditional web2 approaches to using web3 technologies to store malicious content, because previous methods are consistently being taken down by hosting services. Although this activity has been catching the attention of the Web3 security community, we must highlight that threat actors have been leveraging decentralized technologies such as IPFS to store malicious content as well.
How users can protect themselves
While this campaign doesn’t specifically target crypto users, users should incorporate best practices when browsing the internet. This involves keeping your browser and computer updated, using ad-blockers, and not downloading things from people or organizations you do not trust.
Galxe Agrees to Compensate Users 110% After Suffering DNS Hijacking Attack that Led to the Loss of Over $400K
Galxe compensated users who lost funds after the platform suffered a recent DNS hijacking attack. Galxe’s domain registrar, Dynadot, provided domain access to an attacker who impersonated members from the official Galxe team. The attacker then turned Galxe’s front end to a phishing site that impacted 1,120 of Galxe users.
How users can protect themselves
Thankfully MetaMask acted swiftly by temporarily marking Galxe as a phishing site.
Users that were impacted by this attack were compensated 110% of their lost funds on October 20th . Impacted users that have not yet been compensated can contact the Galxe support team for further assistance.
It’s important for user’s to stay vigilant when interacting with dapps, even ones they trust. Keeping protocol announcement alerts on, wallets updated, and MetaMask security features (PPOM/BlockAid) enabled are the advised preventative measures.
Developers looking to mitigate DNS hijacking attacks should take a look at our DNS hijacking mitigation proposal. Please provide us your feedback on the proposal here → https://feedback.metamask.io/allowlist/
Save the Date: State of Security: MetaMask x Wallet Guard
Our quarterly X (fka Twitter) Space co-hosted by MetaMask and wallet guard will be held on November 29 at 12pm PST. Get the breakdown on the latest threats, best security practices & releases. We hope to see you there! https://twitter.com/i/spaces/1OyKAWmbmdDJb
Keep reading our latest stories
Developers, security news, and more