Crypto Security Report: August 2022

Featuring Merge-themed phishing campaigns impersonating trusted entities to trick users into fake ETH 2.0 conversions, a breakdown of crypto honeypot scam mechanics, LavaMoat-style policy enforcement, and HackerOne bounty program metrics.

4 minutes
Crypto Security Report: August 2022

Each month, MetaMask Security team reports on the latest crypto attacks and emerging risks that you need to know about.

August 2022 saw the Endo project prove out LavaMoat-style policy enforcement in its compartment mapper, the Snow tool patch multiple vulnerabilities and explore SES lockdown integration, and MetaMask's HackerOne bug bounty program pay out $22,000 across five resolved issues in its first two months. On the threat side, phishing crews seized on confusion around Ethereum's upcoming Merge, blasting emails that impersonated trusted entities like Infura and pushed a nonexistent "ETH 2.0" conversion, while the wider scam economy kept pace: an estimated 64,661 new honeypot tokens launched in 2022, up 83% over 2021. The full breakdown is below, but first... 

Leslie Lamport's 1982 paper "The Byzantine Generals' Problem" formalized the challenge of reaching consensus among distributed nodes when some may act maliciously—the exact problem that proof-of-stake and proof-of-work protocols solve to secure blockchain networks. His Paxos consensus algorithm underpins modern distributed systems, and he created LaTeX, the document preparation system used across scientific publishing. Lamport received the ACM Turing Award in 2013.

Ethereum Merge phishing campaigns impersonate trusted entities with fake ETH 2.0 conversion scams

In August 2022, scammers ramped up phishing campaigns designed to exploit confusion and uncertainty around Ethereum's Merge network upgrade (completed September 15, 2022). Sophisticated emails impersonating trusted entities like Infura circulated, encouraging users to "convert their ETH to ETH 2.0"—a nonexistent token. The Merge transitioned Ethereum from proof-of-work to proof-of-stake and required no user action: no token swap, no new wallet, and no ETH migration. On the verge of the merge, Consensys published myth-busting content to counter the misinformation. Users who held ETH in an EVM-compatible self-custodial wallet, like MetaMask, did not need to take any action following the  Merge network upgrade.

Crypto honeypot scams use hidden smart contract restrictions to trap buyer funds

Consensys published a guide to honeypot scam mechanics explaining how attackers deploy smart contracts that appear to offer profitable trading opportunities but contain hidden code preventing buyers from selling. The contract allows purchases, driving the token price up, while a concealed restriction blocks all sell transactions except those from the deployer's address. Common red flags include tokens with no sell history, unverified contract source code, and single-wallet liquidity pools.

Endo compartment mapper proves LavaMoat-style policy enforcement in proof of concept

The Endo project completed a proof of concept integrating LavaMoat-style security policy into its compartment mapper. The experiment demonstrated selective endowment of globals and controlled access to dependencies, with the policy defined at load time or during archive creation, embedded into the compartment mapper, and enforced during the linking phase. Planned follow-up work included improvements to package identifiers, nested property support in policy globals, wrapping and unwrapping of these values for endowed functions, and further experimentation with built-in attenuation.

Snow patches multiple vulnerabilities and explores SES lockdown integration

Snow, the LavaMoat tool that enforces recursive security policy across all iframes and windows created within a web application, underwent a round of testing and exploitation. Multiple vulnerabilities were identified and patched, with one triggering a major improvement to Snow's internal security architecture. The fix opened the possibility of integrating SES lockdown()—the Secure ECMAScript hardening function—to further strengthen Snow's defense against realm-based attacks. LavaMoat also began a documentation refresh across its tooling.

HackerOne bug bounty awards $22,000 across 5 resolved issues in first two months

Our bug bounty program on HackerOne, launched on June 13, 2022, received 171 reports in its first two months. The average first-response time was 5 hours. Five issues were resolved—1 High, 3 Medium, and 1 Low severity—with $22,000 awarded to reporters. The Mean Time to Repair across those issues was 44.4 days. In-scope assets included MetaMask Extension (MetaMask/metamask-extension) and MetaMask Mobile (MetaMask/metamask-mobile).

Resolved bug bounty issues (first two months):

Report Date

Severity

Closing Date

Time to Repair (days)

Category

Sub Category

Bounty

June 8, 2022

Low

July 18, 2022

40

Extension

Phishing Page

$1,000

June 3, 2022

Medium

August 10, 2022

68

Mobile

Browser

$2,000

June 9, 2022

Medium

June 20, 2022

11

MetaMask

Supply Chain

$2,000

June 10, 2022

Medium

August 10, 2022

61

Mobile

Configuration

$2,000

June 29, 2022

High

August 10, 2022

42

Mobile

Browser

$15,000

MTTR

44.40


MetaMask’s August 2022 Crypto Security Report covered Ethereum Merge phishing campaigns impersonating trusted entities with fake ETH 2.0 conversion scams, crypto honeypot scam mechanics with an estimated 64,661 new honeypot tokens deployed in 2022, and Endo's proof-of-concept integration of LavaMoat-style policy enforcement into its compartment mapper. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Tüm makaleleri oku