Crypto Security Report: June 2023

Featuring the inaugural MetaMask and Wallet Guard State of Security Twitter Space, Harry Denley on smart contract security, an explainer on LavaMoat's scuttling feature, and a preview of the Menpo DeFi incident database at DeFi Security Summit.

6 minutes
Crypto Security Report: June 2023

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

This month, our team joined Wallet Guard for a State of Security Twitter Space on the state of crypto security, and Consensys's Harry Denley shared smart contract security best practices. Gal Weizman and Zbigniew Tenerowicz broke down how LavaMoat's "scuttling" and sandboxing defend against JavaScript supply chain attacks, and Herman Junge previewed Menpo, a new DeFi incident database, ahead of the DeFi Security Summit. We also rounded up learning resources, from DeFiHackLabs to the OWASP API Security Top 10. The full breakdown is below, but first...

Bruce Voeller (1934–1994) was an American biologist and gay rights activist widely credited with coining the term "AIDS." He founded the Mariposa Education and Research Foundation, where he studied HIV transmission and the effectiveness of protective measures. Voeller's insistence on rigorous, evidence-based research to protect people at risk reflects the same standard that sound security work demands: test the assumptions, then act on the data.

Inside the MetaMask x Wallet Guard State of Security Twitter Space

Our team joined Wallet Guard for the State of Security: MetaMask x Wallet Guard Twitter Space, led by Taylor Monahan, for a deep discussion of crypto security. The conversation covered the evolution of threats, the importance of open sourcing, and the Atomic Wallet incident, among other topics. It gave listeners a candid, behind-the-scenes look at how both teams think about protecting users in a fast-moving threat landscape.

MetaMask Security’s Harry Denley shares smart contract security best practices

In an edition of Coffee With Calyptus, Harry Denley, a security expert at Consensys, shared best practices for smart contract security and highlighted two MetaMask projects: MetaMask Snaps, which extends MetaMask's capabilities in a secure environment, and LavaMoat, which provides runtime protections within the JavaScript ecosystem. Denley emphasized balancing security with functionality: because smart contracts are immutable, security should be prioritized and any added functionality tested rigorously, with a gradual increase in the value locked in a new contract as one way to protect users. His recommended practices included secure design principles, trusted libraries like OpenZeppelin, a security-oriented developer mindset, comprehensive testing, professional code reviews, and continuous education on emerging risks.

Herman Junge to introduce Menpo, a STIX 2.1 DeFi incident database, at DeFi Security Summit 2023

At the DeFi Security Summit in Paris on July 15, 2023,Herman Junge will introduce Menpo, a project that uses STIX 2.1 to standardize the cataloging of DeFi incidents, as announced by the summit. By providing a shared lexicon for describing incidents, Menpo promotes cross-organizational threat intelligence sharing, enabling more efficient allocation of security resources and real-time sharing of incident reports as they unfold.

Zbigniew Tenerowicz's talk on JavaScript supply chain defense

In a DevSecConf24 talk, Zbigniew Tenerowicz (ZB) tackled the challenging question of whether to run or not code from strangers. Despite the inherent risks, he acknowledged that it's a practice that's regularly undertaken in the tech world. He explored the realm of JavaScript projects, particularly examining how they can proactively safeguard themselves from supply chain attacks. This proactive defense was discussed under the assumption that a downloaded dependency has already shipped with a malicious dependency. ZB suggested methods such as restricting access to globals for each package and controlling a package's ability to access the network or file system.

Moreover, he addressed the important issue of eradicating prototype pollution, a common vulnerability in JavaScript projects. ZB also turned his attention to future JavaScript features, particularly those currently under discussion in TC39. He demonstrated how these emerging features can be harnessed to protect projects in the present. To provide a more practical understanding, ZB offered an engaging live demonstration, showing how to execute actual malware safely, thus emphasizing the importance and effectiveness of the defensive measures discussed.

Gal Weizman explains LavaMoat's "scuttling" feature

Gal Weizman explained LavaMoat's "scuttling" in plain terms. Apps depend on tons of third-party code, and any piece could go rogue. LavaMoat sandboxes each dependency with SES so it only gets what it needs. But if one escapes and reaches the global window object — where the powerful APIs are — that's a problem. Scuttling removes those APIs from window, so an escaped dependency hits a dead end. The app keeps working; the attacker doesn't.

LavaMoat update: React Summit talk, React Native mobile progress, Snow, and ScorchWrap

Beyond the DevSecConf24 talk, a video on the same topic from React Summit 2023 on Git Nation, also presented by Zbyszek, became available on July 5, 2023. On the mobile side, a deep dive into React Native iOS native animation code (following a previous investigation) traced assertion macros failing on parent and child nodes to failed WebView page loads on navigation, ultimately linked to excluding React Native's global Promise polyfill in favor of native JSC Promises—currently necessary to boot a locked-down MetaMask mobile with a populated root view. Next steps include fixing the remaining Detox iOS end-to-end smoke tests and then accommodating Android via Appium. Elsewhere, Snow received updates fixing more potential workarounds, and the ScorchWrap webpack plugin's webpack-specific part is stabilizing, clearing the way to start integrating LavaMoat features.

Learning resources: DeFiHackLabs, NFT attack vectors, and the OWASP API Top 10

While NFTs have become increasingly popular, there isn't much clear and easy-to-understand information about them readily available, which makes them a frequent target for scammers and hackers. This report highlighted several learning resources. SunWeb3Sec/DeFiHackLabs reproduces DeFi hack incidents using Foundry—233 incidents to date—alongside an analysis of root causes of incidents and a companion repo for learning common smart contract vulnerabilities. Quillhash/NFT-Attack-Vectors, maintained by QuillAudits, catalogs common methods used to exploit NFTs. And the OWASP API Security Top 10 for 2023 lists the API risks builders should guard against this year.


MetaMask's June 2023 Crypto Security Report covered the inaugural MetaMask and Wallet Guard State of Security Twitter Space, Harry Denley's smart contract security best practices on Coffee With Calyptus, and an explainer on LavaMoat's "scuttling" feature for defending against JavaScript supply chain attacks. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Читать все статьи