Crypto Security Report: July 2022

Featuring LavaMoat's launch of three experimental browser security tools targeting prototype pollution and cross-realm attacks, a fake $UNI airdrop that phished over 73,000 LP addresses, and a YouTube-based MEV frontrunning bot scam.

4 minutes
Crypto Security Report: July 2022

Each month, MetaMask Security Director Luker reports on the latest crypto attacks and emerging risks that you need to know about.

July 2022 saw the LavaMoat project release three experimental browser-defense tools—Securely, Snow, and Across—to blunt prototype pollution and cross-realm JavaScript attacks, while the Endo project closed its long-running CommonJS support roadmap. On the threat side, MetaMask security researcher harry.eth flagged a fake $UNI airdrop that phished 73,399 Uniswap liquidity providers for roughly $8 million, alongside a YouTube scam pushing fake MEV frontrunning bots whose obfuscated Solidity contracts drained deposited ETH. MetaMask also published a guide to avoiding NFT scams across Discord, Twitter, and Telegram, and its HackerOne bug bounty program kept accepting reports. The full breakdown is below, but first... 

Ralph Merkle co-invented public-key cryptography alongside Whitfield Diffie and Martin Hellman in the 1970s, and independently devised Merkle's Puzzles as an undergraduate at UC Berkeley. His 1979 Stanford doctoral thesis introduced Merkle trees (hash trees) and the Merkle-Damgard construction, which underpins the hash functions used in blockchain verification, digital signatures, and the integrity checks that self-custodial wallet software relies on. Merkle received the IEEE Richard W. Hamming Medal in 2010 and was inducted into the National Inventors Hall of Fame in 2011.

LavaMoat launches Securely, Snow, and Across for browser-level JavaScript defense

MetaMask's open-source LavaMoat project released 3 experimental tools designed to defend browser-based applications against JavaScript supply chain attacks:

Securely preserves exclusive access to native browser APIs (such as fetch) even if third-party code running in the same execution context has tampered with them via prototype pollution or man-in-the-browser (MITB) techniques. Snow intercepts every newly created iframe or realm within a web application and applies the same security policy enforced on the top-level window, closing a common attacker technique of spawning fresh iframes to obtain untampered API references. Snow is built on top of Securely. Across establishes a secured communication channel between two scripts attached to the same DOM, identified by their source URL, without requiring a server-side intermediary. Across uses both Securely and Snow to protect the channel.

All three tools were released as experimental. Demos are available for Securely, Snow, and Across.

Endo closes CommonJS support roadmap with final fixes

The Endo project merged final fixes for CommonJS module support and closed the CommonJS support tracking issue (endojs/endo #1055) that had been open since early 2022. Ongoing work on the TC39 module specification raised questions about whether virtualized module loaders should support importing CommonJS modules with specific getter and setter requirements. Further research in this area may prompt additional changes to Endo's CommonJS support or position it as prior art for the specification.

Fake $UNI airdrop phishes 73,399 Uniswap LP addresses

On July 11, 2022, our security researcher harry.eth flagged a phishing campaign that sent a malicious token to 73,399 addresses that had provided liquidity on Uniswap, impersonating a $UNI airdrop. The attack originated from address 0xcf39b7793512f03f2893c16459fd72e65d2ed00c and began approximately two hours before detection. Users who interacted with the token were prompted to sign a setApprovalForAll() transaction, granting the attacker access to drain their LP positions. The campaign ultimately extracted approximately $8 million from victims. The vulnerability was not in the Uniswap protocol itself.

YouTube MEV frontrunning bot tutorials used to steal crypto

In July 2022, our security researcher harry.eth also flagged a scam tutorial circulating on YouTube with 97,000 views on a channel with 26,400 subscribers. The videos, typically titled "How to make $XXX/day on Uniswap," instructed users to deploy a Solidity contract described as an MEV frontrunning bot. The deployed contract contained obfuscated code that, when funded, transferred the deposited ETH directly to the attacker's wallet. The scam capitalized on legitimate MEV terminology to appear credible.

MetaMask publishes guide on avoiding NFT scams

We published a support article on how to avoid NFT scams, covering common attack vectors across Discord, Twitter, and Telegram where scammers exploit NFT community channels to phish holders. The article covers malicious mint links, fake airdrop announcements, compromised community manager accounts, and DM-based social engineering. Key guidance includes verifying URLs against official project sites, disabling DMs in community Discords, and treating unexpected NFTs in a wallet as potential phishing vectors.

HackerOne bug bounty program update

Our bug bounty program on HackerOne continued accepting reports covering the MetaMask Extension (GitHub repository) and MetaMask Mobile (GitHub repository).


MetaMask’s July 2022 Crypto Security Report covered LavaMoat's launch of three experimental browser defense tools—Securely, Snow, and Across—targeting prototype pollution and cross-realm JavaScript attacks, a fake $UNI airdrop that phished over 73,000 Uniswap LP addresses for approximately $8 million, and YouTube-based MEV bot tutorial scams using obfuscated Solidity contracts to drain deposited ETH. Browse previous editions of the MetaMask Crypto Security Report for more threats, trends, and tips for staying safe across the ecosystem.

  • Luker
    Luker

      Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.

      Tüm makaleleri oku