MetaMask Security Monthly: September 2023

This has been a very busy month! We’re very excited about the security implications for Snaps, but make sure to check out all the other news this edition has to offer.

by LukerOctober 2, 2023
sep 23

Screenshot 2023-10-02 at 10.16.34 AM

Guatemalan co-inventor of CAPTCHA Luis von Ahn

🎙️ MetaMask in the Security Ecosystem 🔎

HackerOne’s Ambassador World Cup Semi-Finals

Self Custody Education with MetaMask and Ledger

MetaMask Learn in collaboration with Ledger published a lesson in Web3 Security that covers the responsibility of those taking control of their own funds to protect themselves, how to avoid attack vectors, and the importance of using a hardware wallet.

To promote these ideas, MetaMask senior security researcher Miles Nolan joined others from MetaMask and Ledger co-hosted a live X (formerly Twitter) Space on September 20.

MetaMask x Wallet Guard: State of Security

In this quarter’s joint MetaMask and Wallet Guard X (formerly Twitter) space on the state of security, Wallet Guard regulars Ohm, Martin, and Michael were joined by Marco Menozzi (MetaMask Security) and Christian Montoya (MetaMask Snaps) to talk about device security, social engineering, data breaches, SIM Swapping, scam ads, and MetaMask Snaps (more on that to follow!). Listen to the full recording and/or read the recap.

MetaMask Snaps and Security

If you haven’t already heard, MetaMask launched the open beta of Snaps on September 12 and we’re very excited about what it means for permissionless, customizable security when using MetaMask. Individual Snaps are features and functionalities created by third-party developers that you can install directly into your wallet. It’s worth noting that this open beta is targeted towards power users and early adopters, but this is only the beginning. To read more about Snaps, please visit

While the potential variety of Snaps is vast, several that are security-focused are currently available in the Snaps Directory. Every Snap in the official directory has been audited by our team and external auditing services. In the following thread, Christian Montoya lays out a few basic tips for optimizing your MetaMask security, before going on to list the snaps included in our open beta that can help protect you from risky transactions.

🚧What We’ve Been Working On🚧

Calldata Allowlist to Mitigate DNS Hijacking Losses

In the past 3 years alone, over $125M has been extracted due to DNS hijacking and malicious content injection. A solution created by the Yearn team that MetaMask is adopting involves creating an onchain calldata AllowList that prevents malicious actors from damaging crypto users in the event of a DNS hijack.

Our developer relations team is now reaching out to third parties whose participation will be vital to the success of this initiative. For more information, please see our public document that links to the POC repo, and this short explainer video featuring Miles Nolan:

LavaMoat Update

The Same Origin Concern

As part of our efforts to secure same origin realms in web applications by maintaining the Snow JS project, we are also advocating for a browser native solution to achieve better, more secure results. Gal from team LavaMoat, focuses in this document on the “same origin concern,” describing the lack of control apps have over new realms that rise under their own origin, as well as its implications on their safety, how current efforts to address it fail and what browsers can do to help ship a secure and performant solution for the problem, which was also presented to the W3C security work group this month.

In Other News…

Taylor Monahan weighs in on losses possibly linked SRPs stored in LastPass

A string of high-value thefts totaling around $35 million worth of crypto from security-minded individuals in the tech industry may be linked to a breach disclosed by Last Pass almost a year ago. MetaMask’s Monahan has been following the clues since December 2022, and was quoted as saying “The victim profile remains the most striking thing. They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”

The only major throughline Taylor has been able to find is that these victims used LastPass to store their secret recovery phrases at some point, and her tl;dr moral of the story is: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a [hardware] wallet. Migrate. Now.” Read more from Krebs on Security.

Enhancing Blockchain Security with ERC-7512: A Standard for representing smart contract audits onchain

“One of the primary objectives of ERC-7512 is to establish trust within the blockchain ecosystem. Users and dApps can now verify audits conducted by reputable auditors, thus creating an on-chain reputation system for auditors themselves. This standard paves the way for a more secure environment where smart contracts can be relied upon confidently.”

Rekt Has Gone Phishing

“From compromised front-ends to ‘pig butchering’ scams, an eight-figure on-chain blunder to hacked celebrities (both crypto and non-crypto), and even government agencies getting duped... the last few weeks have been filled with news of scammers hitting the jackpot via a number of common vectors.”

This article also covers the high-profile SIM-swap drainer attack on Vitalik Buterin.

For more on Pink Drainer, see this thread from Boring Security

Receive our Newsletter