Crypto Security Report: January 2023

Featuring address poisoning attacks that exploit lookalike wallet addresses, a deep dive on read-only reentrancy as an emerging DeFi attack vector, LavaMoat's new LavaTube object-graph tool, and RATs hidden in fake game downloads.

5 minutes
Crypto Security Report: January 2023

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

January 2023 saw MetaMask’s LavaMoat expand its security toolbox—introducing LavaTube for recursive object-graph analysis, adding a VR dependency explorer, moving global scuttling into the MetaMask Extension development branch, and shipping cross-browser support for Snow—while Endo brought its LavaMoat-style policy support to final review. On the threat side, address poisoning scams gained traction by seeding victims' transaction histories with lookalike addresses, security researchers spotlighted read-only reentrancy as an emerging DeFi attack vector, and warnings circulated about remote access trojans hidden in fake game downloads and a Chrome flaw abused through fake wallet sites. The full breakdown is below, but first...

Joan Clarke (1917–1996) was the only woman known to perform Banburismus—the sequential Bayesian cryptanalytic process developed by Alan Turing to reduce the workload of Enigma decryption machines at Bletchley Park during World War II. Clarke's ability to detect subtle statistical patterns in seemingly random data parallels the challenge facing self-custodial wallet users who must distinguish legitimate addresses from near-identical forgeries in address poisoning attacks. Clarke was awarded an MBE in 1946 for her contributions to wartime intelligence.

Address poisoning scams use lookalike wallet addresses to trick users

Address poisoning gained traction as a scam technique heading into 2023. Attackers generate wallet addresses that share the same first and last few characters as a target's legitimate contacts, then send zero-value or negligible token transfers to the target. These transactions appear in the victim's transaction history, and when the victim later copies an address from that history—relying on matching the first and last characters rather than verifying the full string—they unknowingly send funds to the attacker. The scam exploits the practical impossibility of memorizing full 42-character hexadecimal addresses and the common habit of verifying only address prefixes and suffixes.

Editor's note: MetaMask Address Poisoning Detection is now live for all users.

Read-only reentrancy emerges as a DeFi attack vector targeting price oracles

Read-only reentrancy—a variant of the classic reentrancy attack—drew increased attention among Solidity developers in January 2023. Unlike traditional reentrancy, which targets state-modifying functions, read-only reentrancy exploits view functions that report prices or balances. During a callback window within a state-changing transaction, an attacker triggers a read on a view function that returns stale or inconsistent data, and protocols relying on those values for price oracles or collateral calculations then act on manipulated prices. Security researcher bytes032 published a widely shared thread on January 20, 2023 breaking down the vulnerability, released through the newly formed Web3Security DAO.

LavaTube provides recursive JavaScript object graph walking for security research

LavaMoat introduced @lavamoat/lavatube, a tool that recursively visits every property of every value accessible from a given starting reference in a JavaScript object graph. The MetaMask security research team uses LavaTube to identify dangerous reference leakages—cases where objects or APIs intended to be isolated inadvertently expose paths to powerful globals or sensitive data in the apps they defend.

LavaMoat ships VR dependency explorer, global scuttling, and cross-browser Snow

@lavamoat/viz gained a new VR mode allowing developers to explore their project's dependency graph in an immersive three-dimensional environment. Separately, global scuttling—which removes powerful built-in functions from the window after LavaMoat captures them for policy-based endowment—was introduced into the MetaMask Extension development branch. Once shipped, even a malicious React component that reaches the window would find the powerful functions already gone. @lavamoat/snow, LavaMoat's realm security tool, also added support for all major browsers in its latest release, giving MetaMask full visibility into all realms on both Chrome and Firefox.

Endo nears LavaMoat-style policy support with a secure bundler in review

The Endo project reached final review of its first iteration of LavaMoat-style policy support. Minor features remained for full parity with LavaMoat policies, but no breaking changes were planned. An early implementation of a secure bundler that controls scopes without relying on eval—eliminating a common attack surface in JavaScript module systems—was also in review.

Fake game downloads warned as a vector for remote access trojans

On January 17, 2023, MetaMask security researcher harry.eth (@sniko_) warned of an anticipated resurgence of remote access trojans (RATs) distributed through fake game downloads. The social engineering pattern involves an attacker posing as a representative of a metaverse game project, offering free tokens in exchange for "testing" a game client that is actually a RAT installer. Once installed, a RAT can give an attacker full remote access to the victim's device, typically followed by DeFi phishing to drain tokens.

Wallet Guard flags a Chrome flaw abused through fake wallet download sites

Wallet Guard warned users to be careful with downloads after documenting a Google Chrome vulnerability that could be used to steal crypto wallet data. The flaw, fixed on November 29, 2022 in Chrome 108, required a victim to visit a fake crypto wallet website and "download" their Secret Recovery Phrase, after which the attacker could abuse symbolic link files. The core guidance: don't download random files from untrusted sources.


MetaMask's January 2023 Crypto Security Report covered address poisoning scams that seed transaction histories with lookalike addresses, read-only reentrancy emerging as a distinct DeFi attack vector, and LavaMoat's introduction of LavaTube for surfacing dangerous reference leakages in JavaScript object graphs. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Tüm makaleleri oku