More from Taylor Monahan on the investigation started last month into a mysterious hack targeting long-time crypto users. Imitators who aren’t flattering us....
Ada Lovelace, considered the Mother of the Computer, 1815-1852
LavaMoat Update
Merged 27 individual pull requests with dependency updates across LavaMoat packages. Updated versions included fixes for known vulnerabilities.
Minor releases with updated dependencies and fixes for Node.js 18 compatibility
Continued work on the ScorchWrap webpack plugin, with progress on including the runtime into the bundle itself and findings about compatibility with other plugins.
Continued work on locking down MetaMask mobile, and dealing with uncaught exceptions when debugging with Chrome V8 in the form of TypeErrors from libraries, including ethjs.
Progress on “scuttling” - the feature to disable access to common globals for the entire window incase endowments for a package were too wide.
Eval all the Strings! - Hardened JavaScript by Zbigniew Tenerowicz
MetaMask’s Zbigniew, or ZB for short, gave a talk in April for Node Congress in Berlin, and the anticipated video has been posted!
“This talk is about SecureEcmaScript and Compartments, which are TC39 proposals, and I'm working on tooling to make these concepts usable with people championing those proposals. This is a first-hand account of the future of JavaScript security. SES + tooling (LavaMoat or Endo) is making limiting access to network, fs, core modules or globals possible on a per-package basis. I want to show how they work, what possibilities they open and how to make that future happen today with some effort. To me this is the final step in securing npm supply chain - even if a package gets taken over by bad actors, it won't be able to hurt me.”
From The Defiant: Maker of first Ethereum Wallet Taylor Monahan Explains $10M Hack and How to Stay Safe in Crypto
In April, Taylor Monhan and Harry Denley from MetaMask began an investigation into a massive multichain offensive that targeted crypto veterans. Along with breaking down the hack and tips on how to protect yourself, Taylor explores the concepts of “code is law” and “blockchain is immutable.”
This likely group of attackers used an unusual system, in that they swapped the assets that they were stealing within the victim’s wallet first before sending them to a DEX. The method used to breach the security of 300 individuals who had their recovery phrases exposed remains unknown, and it is assumed that the attack was not typical phishing activity.
Additionally, Taylor summarizes the evolution and current state of offenses and counter offenses in the space, as well as recommendations on how to be more secure, including using a hardware wallet and decentralizing your holdings by keeping them in multiple wallets.
Wallet Drain and Seedphrase Compromises
If your wallet does get drained, you don’t have to be a security research expert to try and figure out how. @Jon_HQ posted a thorough checklist on Twitter that can guide you through your own investigation.
Getting your wallet drained sucks, but getting drained and not knowing how is even worse.
The following thread is a checklist of things to review if you get drained and can't figure out how.
A consumer alert from the Federal Trade Commission warned the public to be extra cautious about messages supposedly from services related to crypto. When dealing with any unsolicited email, avoid the urge to act quickly, regardless of what the email says. Creating a false sense of urgency is a standard scam tactic, because the scammers are counting on panic to override critical thinking.
Don’t click on any links from unsolicited emails, and update your security software regularly.
“If you get a phishing email, forward it to the Anti-Phishing Working Group at
Emails from MetaMask impersonators only can be forwarded to [email protected].
Many websites, emails, and social media profiles imitate MetaMask, attempting to access your accounts and steal your funds. This knowledge base article outlines how you can tell them apart from the real thing, as well as how to make sure you’re using the proper support channel.
訂閱 The Alpha Drop,將市場 Alpha 直接寄到您的收件匣
作者:
Luker
Jen Luker, known by most as just Luker, is the Director of Product Security at Consensys, where she leads the frontline defenders who protect millions of users from vulnerabilities, emerging threats, and malicious actors across decentralized tech. An active participant in the Ethereum ecosystem since 2017, she has held key roles including Editor at ETHNews and Project Manager at MyCrypto. Luker is a regular speaker at industry conferences, the author of MetaMask's monthly Crypto Security Report, and an official ETH Security Badge holder as designated by The DAO. She's also a passionate advocate for continuous education and security awareness as essential pillars for the future of Ethereum and blockchain technology.
