MetaMask Security Monthly: September 2023
This has been a very busy month! We’re very excited about the security implications for Snaps, but make sure to check out all the other news this edition has to offer.
Guatemalan co-inventor of CAPTCHA Luis von Ahn
🎙️ MetaMask in the Security Ecosystem 🔎
HackerOne’s Ambassador World Cup Semi-Finals
Today marks the start of the semi-finals of the #AmbassadorWorldCup! 💪— HackerOne (@Hacker0x01) September 26, 2023
These four teams are bug-hunting for our partners, @Shopify, @MetaMask, and @Tinder, as they work to secure their digital landscape and protect their customers! 🙌
Cheer them on in the thread below!👇 pic.twitter.com/un8i6p9CId
Self Custody Education with MetaMask and Ledger
MetaMask Learn in collaboration with Ledger published a lesson in Web3 Security that covers the responsibility of those taking control of their own funds to protect themselves, how to avoid attack vectors, and the importance of using a hardware wallet.
To promote these ideas, MetaMask senior security researcher Miles Nolan joined others from MetaMask and Ledger co-hosted a live X (formerly Twitter) Space on September 20.
MetaMask x Wallet Guard: State of Security
In this quarter’s joint MetaMask and Wallet Guard X (formerly Twitter) space on the state of security, Wallet Guard regulars Ohm, Martin, and Michael were joined by Marco Menozzi (MetaMask Security) and Christian Montoya (MetaMask Snaps) to talk about device security, social engineering, data breaches, SIM Swapping, scam ads, and MetaMask Snaps (more on that to follow!). Listen to the full recording and/or read the recap.
Did you miss the latest quarterly state of security space with MetaMask & Wallet Guard? 👀— Wallet Guard (@wallet_guard) September 27, 2023
From personal security tips to the latest data breaches & an overview of the MetaMask Snaps launch, let's recap what went down! 👇 pic.twitter.com/SaEvlYFMYs
MetaMask Snaps and Security
If you haven’t already heard, MetaMask launched the open beta of Snaps on September 12 and we’re very excited about what it means for permissionless, customizable security when using MetaMask. Individual Snaps are features and functionalities created by third-party developers that you can install directly into your wallet. It’s worth noting that this open beta is targeted towards power users and early adopters, but this is only the beginning. To read more about Snaps, please visit https://metamask.io/snaps/.
While the potential variety of Snaps is vast, several that are security-focused are currently available in the Snaps Directory. Every Snap in the official directory has been audited by our team and external auditing services. In the following thread, Christian Montoya lays out a few basic tips for optimizing your MetaMask security, before going on to list the snaps included in our open beta that can help protect you from risky transactions.
Safety is paramount in web3. Here's a guide to keeping yourself safe in the world of crypto so you can degen responsibly.— Montoya (@MidwitMilhouse) September 25, 2023
🚧What We’ve Been Working On🚧
Calldata Allowlist to Mitigate DNS Hijacking Losses
In the past 3 years alone, over $125M has been extracted due to DNS hijacking and malicious content injection. A solution created by the Yearn team that MetaMask is adopting involves creating an onchain calldata AllowList that prevents malicious actors from damaging crypto users in the event of a DNS hijack.
Our developer relations team is now reaching out to third parties whose participation will be vital to the success of this initiative. For more information, please see our public document that links to the POC repo, and this short explainer video featuring Miles Nolan:
- Improvements to the release process have made releasing trivial. Expect increased release cadence to be the new normal.
- With an update to how tests are structured, we’ve gotten them to pass in Node 20 and could finally officially cover Node 20 as supported.
- ScorchWrap plugin is ready for beta. Scheduled to announce the beta at two remote developer events, more to come. The main activity of the beta program will happen here: https://github.com/LavaMoat/LavaMoat/discussions/723
- Lockdown in MetaMask Mobile is working. Should be released soon.
- Gal and Zb join the discussion at a W3C event “Secure the Web Forward”
As part of our efforts to secure same origin realms in web applications by maintaining the Snow JS project, we are also advocating for a browser native solution to achieve better, more secure results. Gal from team LavaMoat, focuses in this document on the “same origin concern,” describing the lack of control apps have over new realms that rise under their own origin, as well as its implications on their safety, how current efforts to address it fail and what browsers can do to help ship a secure and performant solution for the problem, which was also presented to the W3C security work group this month.
In Other News…
Taylor Monahan weighs in on losses possibly linked SRPs stored in LastPass
A string of high-value thefts totaling around $35 million worth of crypto from security-minded individuals in the tech industry may be linked to a breach disclosed by Last Pass almost a year ago. MetaMask’s Monahan has been following the clues since December 2022, and was quoted as saying “The victim profile remains the most striking thing. They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”
The only major throughline Taylor has been able to find is that these victims used LastPass to store their secret recovery phrases at some point, and her tl;dr moral of the story is: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a [hardware] wallet. Migrate. Now.” Read more from Krebs on Security.
Enhancing Blockchain Security with ERC-7512: A Standard for representing smart contract audits onchain
“One of the primary objectives of ERC-7512 is to establish trust within the blockchain ecosystem. Users and dApps can now verify audits conducted by reputable auditors, thus creating an on-chain reputation system for auditors themselves. This standard paves the way for a more secure environment where smart contracts can be relied upon confidently.”
“From compromised front-ends to ‘pig butchering’ scams, an eight-figure on-chain blunder to hacked celebrities (both crypto and non-crypto), and even government agencies getting duped... the last few weeks have been filled with news of scammers hitting the jackpot via a number of common vectors.”
This article also covers the high-profile SIM-swap drainer attack on Vitalik Buterin.
For more on Pink Drainer, see this thread from Boring Security
This morning we were putting together a thread on Pink Drainer and their different scam methods.— Boring Security (@BoringSecDAO) September 10, 2023
This afternoon, Vitalik's account was compromised by Pink and several people were scammed using three different techniques.
I guess it's time to we finished that thread.
Keep reading our latest stories
Developers, security news, and more