MetaMask Security Monthly: June 2023

Discover the intriguing world of JavaScript protection mechanisms and learn about a unique security feature called "scuttling," implemented with the LavaMoat tool.

AIDS researcher and gay rights activist Bruce Voeller

🎙️ MetaMask in the Security Ecosystem 🔎

State of Security: @MetaMask x @Wallet_Guard Twitter Space

The inaugural session of a quarterly Twitter Space series brought together the expertise of the MetaMask and Wallet Guard teams. They, led by Taylor Monahan, embarked on a deep dive into Web3 security topics. The discussion delved into the evolution of threats, emphasized the importance of open sourcing, and analyzed the incident related to Atomic Wallet among other crucial topics.

This engaging dialogue marked the beginning of a periodic series, marking the intersection of AI and blockchain security. The audience can anticipate another informative session in September. If you're intrigued by Web3's evolving landscape, don't miss the next event.

Smart Contract Security with Harry Denley, Security Expert at Consensys

In the latest edition of Coffee With Calyptus, Harry Denley provided his insights into the best practices for smart contract security. In addition, he highlighted two impactful projects that MetaMask is working on: MetaMask Snaps, which extends the capabilities of MetaMask in a secure environment, and LavaMoat, a tool that provides runtime protections within the JavaScript ecosystem to enhance security.

Harry emphasized the importance of balancing security with functionality in smart contract design. Given the immutable nature of smart contracts, security should be prioritized, and any increase in functionality should be tested rigorously to prevent potential attack vectors. Gradually raising the limit of value locked within a new smart contract was suggested as a possible approach to enhance user protection.

When asked about best practices for secure smart contract development, Harry suggested several key considerations, including prioritizing secure design principles, utilizing trusted libraries like OpenZeppelin, fostering a security-oriented mindset among developers, implementing comprehensive testing, and engaging professional code reviews. He stressed the importance of continuous education about common security risks and staying informed about the latest industry developments.

Herman Junge to Introduce Menpo at DeFi Security Summit 2023

🎙️ Speaker Announcement! 🎉

Join us at the #DeFiSecuritySummit to hear @bentobox19_ of @MetaMask talk about

“Menpo - DeFi Incident Database”

Stay tuned for more updates on our lineup! 🌟

🌐 More info: https://t.co/y0e0t2SR5M pic.twitter.com/AF9xM7UxY4

— Defi Security Summit (@summit_defi) June 23, 2023

At the DeFi Security Summit in Paris on the 15th of July, Herman Junge will introduce Menpo, a project that utilizes STIX 2.1 to standardize DeFi incidents. This initiative promotes the sharing of threat intelligence among security analysts and researchers. Such standardization allows for more efficient allocation of resources towards information security tasks and training initiatives.

Furthermore, this approach fosters the development of a cross-organizational threat intelligence entity, enabling the real-time sharing of incident reports as they unfold. The Structured Threat Information Expression (STIX) Language, a cornerstone of Threat Intelligence, provides a shared lexicon for describing incidents in the DeFi ecosystem.

I Run Code From the Internet! With Zbigniew Tenerowicz for DevSecConf24 <br/ >

In his talk, Zbigniew Tenerowicz (ZB) tackled the challenging question of whether to run or not code from strangers. Despite the inherent risks, he acknowledged that it's a practice that's regularly undertaken in the tech world. He explored the realm of JavaScript projects, particularly examining how they can proactively safeguard themselves from supply chain attacks. This proactive defense was discussed under the assumption that a downloaded dependency has already shipped with a malicious dependency. ZB suggested methods such as restricting access to globals for each package and controlling a package's ability to access the network or file system.

Moreover, he addressed the important issue of eradicating prototype pollution, a common vulnerability in JavaScript projects. ZB also turned his attention to future JavaScript features, particularly those currently under discussion in TC39. He demonstrated how these emerging features can be harnessed to protect projects in the present. To provide a more practical understanding, ZB offered an engaging live demonstration, showing how to execute actual malware safely, thus emphasizing the importance and effectiveness of the defensive measures discussed.

Gal Weizman on LavaMoat

MetaMask 🦊 is an amazing app for many reasons.

One reason I like especially is that even though it works just fine, the window object of the app is (almost) unusable!

If you're into Browser JavaScript security, come learn about what we call "scuttling" - by LavaMoat 🌋

Well.. pic.twitter.com/uJ8oLxVizH

— Gal Weizman (@WeizmanGal) June 30, 2023

Gal Weizman writes about the unique security feature implemented by MetaMask called "scuttling" via a homegrown tool named LavaMoat. The tool is designed to protect against supply chain attacks, a serious concern due to the complex graph of dependencies that MetaMask runs on. LavaMoat achieves this by creating a separate sandbox for each dependency using Secure ECMAScript (SES) by Agoric. Each sandboxed dependency is only granted access to the specific features it needs, preventing unexpected access to sensitive features.

However, there's a chance that a dependency might manage to escape its sandbox using allowed APIs and reach the window object, potentially negating LavaMoat's protection. To counter this, MetaMask uses Compartments, also implemented in SES, to ensure that API instances provided to the sandboxes aren't the original ones from the global object. Consequently, unused original APIs can be removed from the global object, enhancing security by denying escaped dependencies access to unauthorized APIs.

This process of removing APIs and properties from the global object is termed "scuttling." It effectively makes the window object unusable but doesn't affect the app's functionality. Though theoretically sound, the application is challenging in practice, with certain properties still not scuttled. The MetaMask team provides further resources on scuttling and LavaMoat for those interested.

Security Laboratory

LavaMoat Update

• More LavaMoat awareness: In addition to the DevSecConf24 above, a video on the same topic will be available July 5 from React Summit 2023 on Git Nation, also presented by Zbyszek.

After a deep-dive into RN iOS native animation source code from previous investigation, the cause of assertion macros failing on parent and child nodes (thrown as exceptions executing the UI block) stems from failed WebView page loads upon navigation (also triggered by @babel/plugin-transform-runtime’s regenerator). The cause appears to be excluding RN’s global Promise polyfill (relying on native JSC Promises), a current necessity to boot locked down MetaMask mobile with a populated root view. Further work then includes fixing any remaining (Detox) iOS E2E smoke tests, then similar to accommodate Android (Appium).

• Updates to Snow (https://github.com/LavaMoat/snow) fixing more potential workarounds.
• ScorchWrap webpack plugin - the webpack-specific part is stabilizing. It’s time to start integrating the LavaMoat features.

Learning

SunWeb3Sec/DeFiHackLabs

Reproduction of DeFi hack incidents using Foundry. To date, 233 incidents included. Also, worth visiting Analysis of Root Causes of Incidents, and Learning of common smart contract vulnerabilities with Foundry.

Quillhash/NFT-Attack-Vectors

This repository houses a collection of attack methods often used against Non-Fungible Tokens (NFTs). While NFTs have become increasingly popular, there isn't much clear and easy-to-understand information about them readily available, which makes them a frequent target for scammers and hackers. Here, we list common ways these malicious actors may try to exploit NFTs. This list is actively updated by QuillAudits, a platform specializing in checking for weaknesses in digital contracts.

OWASP Top 10 API Security Risks – 2023

For all of you builders, The Open Worldwide Application Security Project has released their list of API dangers to look out for this year. Make sure your project isn’t exposed!