Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.
July 2022 saw the LavaMoat project release three experimental browser-defense tools—Securely, Snow, and Across—to blunt prototype pollution and cross-realm JavaScript attacks, while the Endo project closed its long-running CommonJS support roadmap. On the threat side, MetaMask security researcher harry.eth flagged a fake $UNI airdrop that phished 73,399 Uniswap liquidity providers for roughly $8 million, alongside a YouTube scam pushing fake MEV frontrunning bots whose obfuscated Solidity contracts drained deposited ETH. MetaMask also published a guide to avoiding NFT scams across Discord, Twitter, and Telegram, and its HackerOne bug bounty program kept accepting reports. The full breakdown is below, but first...
Featured STEM pioneer: Ralph Merkle, inventor of cryptographic hashing and Merkle trees
Ralph Merkle co-invented public-key cryptography alongside Whitfield Diffie and Martin Hellman in the 1970s, and independently devised Merkle's Puzzles as an undergraduate at UC Berkeley. His 1979 Stanford doctoral thesis introduced Merkle trees (hash trees) and the Merkle-Damgard construction, which underpins the hash functions used in blockchain verification, digital signatures, and the integrity checks that self-custodial wallet software relies on. Merkle received the IEEE Richard W. Hamming Medal in 2010 and was inducted into the National Inventors Hall of Fame in 2011.
LavaMoat launches Securely, Snow, and Across for browser-level JavaScript defense
MetaMask's open-source LavaMoat project released 3 experimental tools designed to defend browser-based applications against JavaScript supply chain attacks:
Securely preserves exclusive access to native browser APIs (such as fetch) even if third-party code running in the same execution context has tampered with them via prototype pollution or man-in-the-browser (MITB) techniques. Snow intercepts every newly created iframe or realm within a web application and applies the same security policy enforced on the top-level window, closing a common attacker technique of spawning fresh iframes to obtain untampered API references. Snow is built on top of Securely. Across establishes a secured communication channel between two scripts attached to the same DOM, identified by their source URL, without requiring a server-side intermediary. Across uses both Securely and Snow to protect the channel.
All three tools were released as experimental. Demos are available for Securely, Snow, and Across.
Endo closes CommonJS support roadmap with final fixes
The Endo project merged final fixes for CommonJS module support and closed the CommonJS support tracking issue (endojs/endo #1055) that had been open since early 2022. Ongoing work on the TC39 module specification raised questions about whether virtualized module loaders should support importing CommonJS modules with specific getter and setter requirements. Further research in this area may prompt additional changes to Endo's CommonJS support or position it as prior art for the specification.
Fake $UNI airdrop phishes 73,399 Uniswap LP addresses
On July 11, 2022, our security researcher harry.eth flagged a phishing campaign that sent a malicious token to 73,399 addresses that had provided liquidity on Uniswap, impersonating a $UNI airdrop. The attack originated from address 0xcf39b7793512f03f2893c16459fd72e65d2ed00c and began approximately two hours before detection. Users who interacted with the token were prompted to sign a setApprovalForAll() transaction, granting the attacker access to drain their LP positions. The campaign ultimately extracted approximately $8 million from victims. The vulnerability was not in the Uniswap protocol itself.
YouTube MEV frontrunning bot tutorials used to steal crypto
In July 2022, our security researcher harry.eth also flagged a scam tutorial circulating on YouTube with 97,000 views on a channel with 26,400 subscribers. The videos, typically titled "How to make $XXX/day on Uniswap," instructed users to deploy a Solidity contract described as an MEV frontrunning bot. The deployed contract contained obfuscated code that, when funded, transferred the deposited ETH directly to the attacker's wallet. The scam capitalized on legitimate MEV terminology to appear credible.
MetaMask publishes guide on avoiding NFT scams
We published a support article on how to avoid NFT scams, covering common attack vectors across Discord, Twitter, and Telegram where scammers exploit NFT community channels to phish holders. The article covers malicious mint links, fake airdrop announcements, compromised community manager accounts, and DM-based social engineering. Key guidance includes verifying URLs against official project sites, disabling DMs in community Discords, and treating unexpected NFTs in a wallet as potential phishing vectors.
HackerOne bug bounty program update
Our bug bounty program on HackerOne continued accepting reports covering the MetaMask Extension (GitHub repository) and MetaMask Mobile (GitHub repository).
MetaMask’s July 2022 Crypto Security Report covered LavaMoat's launch of three experimental browser defense tools—Securely, Snow, and Across—targeting prototype pollution and cross-realm JavaScript attacks, a fake $UNI airdrop that phished over 73,000 Uniswap LP addresses for approximately $8 million, and YouTube-based MEV bot tutorial scams using obfuscated Solidity contracts to drain deposited ETH. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.