Crypto Security Report: September 2023

Featuring the MetaMask Snaps open beta, roughly $35 million in thefts possibly linked to Secret Recovery Phrases stored in LastPass, the Pink Drainer SIM-swap attack on Vitalik Buterin, and a calldata allowlist to curb DNS hijacking losses.

6 minutes
Crypto Security Report: September 2023

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

In September 2023,  MetaMask launched the open beta of Snapsbringing permissionless, customizable security to the wallet. We also shared self-custody  education created in partnership  Ledger, and hosted aState of Security space with Wallet Guard. On the tooling side, LavaMoat ramped up its releases, added Node 20 support, and readied ScorchWrap for beta. And, MetaMask’sGal Weizman and Zbigniew Tenerowicz presented on hardened JavaScript and browser realms at W3C's Secure the Web Forward. On the threat side, Taylor Monahan linked roughly $35 million in thefts to Secret Recovery Phrases stored in LastPass, and we detailed how the Pink Drainer group's SIM-swap attack compromised Vitalik Buterin's account. The full breakdown is below, but first...

Luis von Ahn is a Guatemalan computer scientist who co-invented CAPTCHA and reCAPTCHA—the challenge-response tests that distinguish humans from bots and help protect web services from automated abuse—and pioneered the idea of human computation. He later co-founded Duolingo. His work sits at a foundational layer of everyday web security: proving, cheaply and at scale, that there's a real person on the other end.

MetaMask launches the Snaps open beta, with security Snaps in the directory

MetaMask launched the open beta of Snaps on September 12, 2023, expanding customizable security options within the wallet based on user preferences and needs.. Snaps are features and functionalities built by third-party developers that users can install directly into their wallet (metamask.io/snaps). This open beta is aimed at power users and early adopters as a starting point. Several security-focused Snaps are already available in the audited Snaps Directory. Every Snap in the official directory is reviewed and vetted by MetaMask's team and external auditors. In an accompanying thread, Christian Montoya of MetaMask Snaps shared basic tips for optimizing MetaMask security and highlighted Snaps in the beta that can help protect users from risky transactions.

MetaMask and Ledger publish a self-custody security lesson

MetaMask in collaboration with Ledger, published a web3 security lesson covering the responsibility that comes with self-custody, how to avoid common attack vectors, and the importance of using a hardware wallet. To promote the lesson, MetaMask senior security researcher Miles Nolan joined colleagues from MetaMask and Ledger to co-host a live X Space on September 20, 2023.

MetaMask and Wallet Guard host a Q3 State of Security Space

 MetaMask and Wallet Guard hosted a joint X Space on the state of security, Wallet Guard's Ohm, Martin, and Michael were joined by Marco Menozzi (MetaMask Security) and Christian Montoya (MetaMask Snaps) to discuss device security, social engineering, data breaches, SIM swapping, scam ads, and MetaMask Snaps. Wallet Guard also shared a written recap of the recording.

HackerOne's Ambassador World Cup semifinals bug-hunt MetaMask, Shopify, and Tinder

HackerOne kicked off the semi-finals of its Ambassador World Cup on September 27, 2023, with 4 teams bug-hunting for partners including MetaMask, Shopify, and Tinder as they work to secure their products and protect customers.

A calldata allowlist aims to cut DNS hijacking losses

Over the past 3 years, more than $125 million has been extracted through DNS hijacking and malicious content injection. MetaMask is adopting a solution created by the Yearn team: a blockchain calldata allowlist that prevents malicious actors from harming users in the event of a DNS hijack. MetaMask's developer relations team is reaching out to third parties whose participation will be vital to the initiative; more detail is in a public document that links to the proof-of-concept repo, alongside a short explainer video featuring Miles Nolan.

LavaMoat update: faster releases, Node 20 support, ScorchWrap beta, and mobile lockdown

Improvements to the release process have made releasing trivial, so a higher release cadence is now the norm. A change to how tests are structured got them passing on Node 20, which is now officially supported. The ScorchWrap plugin is ready for beta and will be announced at two remote developer events, with the beta program running in the LavaMoat discussions. Lockdown in MetaMask Mobile is now working and should be released soon.

Gal Weizman and Zbigniew Tenerowicz present at W3C's Secure the Web Forward

At W3C's "Secure the Web Forward" event, Zbigniew Tenerowicz presented on applying hardened JavaScript to supply chain security for a proactive defense, and Gal Weizman presented on how JavaScript realms are used to bypass existing web app security tools. In a related paper on the "same origin concern," Weizman—who maintains the Snow JS project—describes the lack of control apps have over new realms that arise under their own origin, why current efforts to address it fall short, and how a browser-native solution could ship a secure, performant fix; the paper was presented to the W3C security working group this month.

Secret Recovery Phrases stored in LastPass linked to ~$35 million in stolen funds

A string of high-value thefts of approximately  $35 million in stolen funds may be linked to a breach disclosed by LastPass almost a year earlier. MetaMask's Taylor Monahan has followed the clues since December 2022, noting that the victims "truly all are reasonably secure" and "deeply integrated into this ecosystem"—including employees of reputable crypto organizations, venture capitalists, and people who built DeFi protocols, deploy contracts, and run full nodes. The main throughline she found is that the victims had used LastPass to store their Secret Recovery Phrases at some point, and her advice was blunt: don't keep all your assets under a single key or phrase for years—split up assets, get a hardware wallet, and migrate now. Krebs on Security has more.

ERC-7512 proposes an onchain standard for smart contract audits

A proposal for ERC-7512 aims to represent smart contract audits onchain. By letting users and apps verify audits conducted by reputable auditors, the standard would establish an onchain reputation system for auditors and help build a more trustworthy environment for relying on smart contracts.

Rekt's "Gone Phishing" and the Pink Drainer attack on Vitalik Buterin

Rekt's "Gone Phishing" rounds up a stretch of scams spanning compromised front-ends, pig butchering, an eight-figure onchain blunder, and hacked accounts belonging to public figures and even government agencies—including the high-profile SIM-swap drainer attack on Vitalik Buterin. For more on the group behind it, Boring Security documented Pink Drainer's methods after Buterin's account was compromised on September 10, 2023.


MetaMask's September 2023 Crypto Security Report covered the open beta launch of MetaMask Snaps, roughly $35 million in thefts that Taylor Monahan linked to Secret Recovery Phrases stored in LastPass, and the Pink Drainer SIM-swap attack that compromised Vitalik Buterin's account. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Читать все статьи