Crypto Security Report: August 2023

Featuring the launch of Seal 911, a Telegram hotline for crypto emergencies from MetaMask, Paradigm, Yearn, and Polygon, a typosquatted npm package that steals private keys, a bold new direction for Snow, and MetaMask talks at Defcon.

5 minutes
Crypto Security Report: August 2023

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

In August 2023, security experts from MetaMask, Paradigm, Yearn, and Polygon launched Seal 911—an experimental Telegram hotline for crypto emergencies, while MetaMask took the stage at Defcon and Ethereum Argentina and Gal Weizman set a bolder, security-first direction for Snow. Behind the scenes, LavaMoat automated its releases and advanced the ScorchWrap plugin and SES lockdown for mobile. Elsewhere,  we reported on another real-world supply chain attack: a typosquatted Ethereum npm package that stole private keys—exactly the kind of threat LavaMoat is built to mitigate. The full breakdown is below, but first...

Émile Baudot (1845–1903) was a French telegraph engineer who invented the Baudot code, an early fixed-length character encoding that was one of the first practical means of digital communication and a forerunner of ASCII. The unit "baud" is named after him. His work standardizing how information is encoded and transmitted is foundational to the secure, reliable data exchange the ecosystem depends on today.

Security experts launch Seal 911, a Telegram hotline for crypto emergencies

Security experts from MetaMask, along with those from Paradigm, Yearn, and Polygon, teamed up to create an experimental Telegram bot hotline for users experiencing crypto emergencies, with MetaMask's Taylor Monahan and Harry Denley pitching in on the project, dubbed Seal 911. As samczsun explained on August 8, 2023, the group set out to solve the hardest part of responsible disclosure—finding the right person to talk to. The result is a Seal 911 bot that anyone can use during an emergency to reach trusted members of the security community and their extensive network of contacts.

Gal Weizman: Snow prioritizes security over adoption and functionality

In the latest update on LavaMoat’s Snow, MetaMask's Gal Weizman signaled a bolder direction: "Today marks a big day in the life of Snow, where we come to the mature realization that in order for the project to stop chasing defensive security it has to take some bold steps at the cost of adoption and functional behaviour." In other words, Snow will prioritize stronger security guarantees even where that reduces convenience or compatibility.

Zbigniew Tenerowicz and Kumavis lead a Defensive Coding workshop at Defcon's AppSec Village

At Defcon's August 2023 AppSec Village in Las Vegas, MetaMask’s Zbigniew Tenerowicz (ZB) and Kumavis led a Defensive Coding workshop on hardened JavaScript and software supply chain risk. There is no recording, but the coursework and slides are available.

"Have you heard of software supply chain? Yes, that's the thing where it turns out you're responsible for what your app takes from the

Antonela Debiasi questions trust in technology intermediaries at Ethereum Argentina

Secure design specialist Antonela Debiasi took the main stage at Ethereum Argentina to examine the trust model in cryptocurrency networks, drawing a distinction between indicators of trust and indicators of corporate security.

LavaMoat and Endo advance release automation, ScorchWrap, and SES lockdown for mobile

The LavaMoat monorepo is switching to npm workspaces and release-please for release management, which will make LavaMoat releases automated and much faster. The ScorchWrap webpack plugin now supports multiple entry points and chunks, and enforcing policy on module requirements is implemented; the remaining work for the first beta is enforcing policy on globals. Meanwhile, SES lockdown is being split into two stages to allow "Vetted Shims" to be applied to intrinsics after repair but before freezing—a change that should improve compatibility and clear one of the final blockers to running MetaMask Mobile with lockdown. On mobile, SES continues locking down pre-bundle and allowing reflect-metadata as a trusted shim, since it is a direct dependency of @consensys/on-ramp-sdk used as a higher-order component wrapped around the Settings screen.

Typosquatted Ethereum npm package steals private keys, the kind of attack LavaMoat targets

Phylum reported in early August 2023 that it had been alerted to a series of suspicious npm publications, including a typosquat of a popular cryptocurrency library and a dependency that hid malicious code deep in a large file that most developers would never scrutinize. The package exfiltrated private keys to a remote server—precisely the kind of software supply chain attack that LavaMoat is designed to mitigate.


MetaMask's August 2023 Crypto Security Report covered the launch of Seal 911, a cross-organization Telegram hotline for crypto emergencies, a bold new security-first direction for Snow, and a typosquatted Ethereum npm package that stole private keys. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Читать все статьи