\n<\/p>\n
It\u2019s been an unrelenting week for MetaMask<\/a><\/span> developers.\u00a0<\/span><\/p>\n Reacting to the news that <\/span>$4.5 million worth of funds<\/span><\/a> had been drained from thousands of software wallets<\/span><\/a> on Solana<\/a><\/span>, the team behind MetaMask\u2014far and away the most popular software wallet for Ethereum<\/span><\/a> and Ethereum-compatible networks\u2014<\/span>combed through the wallet’s codebase to make sure users would not be affected by a similar hack.<\/span><\/p>\n That kind of fire drill has been repeated elsewhere. On reports that the Near Walle<\/a>t might have a vulnerability similar to the hacked Solana wallets, the protocol\u2019s Twitter account said Thursday night that it\u2019s \u201c<\/span>highly recommended<\/span><\/a>\u201d users change their security settings.<\/span><\/p>\n Scanning for vulnerabilities after there\u2019s been an exploit is one way that developers handle security. Ideally, they find them before they\u2019ve been exploited. MetaMask has said previously that it\u2019s working to reorganize its teams to better respond to security issues, but there are signs that it\u2019s struggling to keep up.<\/span><\/p>\n <\/p>\n In a recent example, Aurox CEO Giorgi Khazaradze said he found MetaMask\u2019s team to be unresponsive when he tried to tip them off about a vulnerability in June.<\/span><\/p>\n He told <\/span>Decrypt<\/span><\/i> that his team was looking at MetaMask\u2019s codebase\u2014which is open source and viewable in <\/span>its GitHub repository<\/span><\/a>\u2014because they\u2019re building their own browser extension wallet.\u00a0<\/span><\/p>\n The wallet has been announced, but not yet launched. When it does, it\u2019ll be competing with MetaMask. To put it plainly: That means Khazaradze stands to benefit from casting doubt on what is, far and away, the biggest competitor for his new product.<\/span><\/p>\n After all, ConsenSys, the company that develops MetaMask (and, full disclosure, an investor in Decrypt<\/i>), just closed a $450 million Series D round at a <\/span>$7 billion<\/span><\/a> valuation\u2014helped in large part by the rate at which MetaMask has been attracting new users. As of March, MetaMask had more than <\/span>30 million monthly active users<\/span><\/a>, a 42% increase over the 21 million it had in <\/span>November 2021<\/span><\/a>.<\/span><\/p>\n Khazaradze said his team realized that it would be possible to use an HTML element called an inline frame, or iframe, to add a hidden decentralized app, or dapp, to a webpage.<\/span><\/p>\n That would mean an attacker could hypothetically create a page that looks like a legit application, but connects to another that the MetaMask user never sees. So instead of swapping some Ethereum<\/a><\/span>\u00a0for coins to support a new project or buying an NFT<\/a><\/span>, the user could unwittingly be sending their crypto straight to a thief\u2019s wallet.<\/span><\/p>\n This kind of vulnerability could take advantage of the fact that MetaMask automatically prompts users to connect to a dapp if it detects one on a webpage. It\u2019s standard behavior for the browser extension version of MetaMask. Outside the context of vulnerabilities and attackers, it\u2019s a feature that puts fewer clicks between a user and their ability to interact with dapps.\u00a0<\/span><\/p>\n It\u2019s similar, but not quite the same, as a clickjacking vulnerability that MetaMask paid a <\/span>$120,000 bounty<\/span><\/a> for in June. With that, an attacker hides MetaMask itself on a webpage and tricks the user into revealing private data or transferring funds.<\/span><\/p>\n \u201cThat\u2019s a different vulnerability. That was within MetaMask itself. Basically, you could iframe MetaMask and then clickjack people,\u201d Khazaradze said. \u201cWhereas the one we found is iframing dapps. The wallet automatically connects to those dapps, which can allow an attacker to trick you to perform specific transactions.\u201d<\/span><\/p>\n Khazaradze said he attempted to contact MetaMask about the vulnerability on June 27. First he tried the company\u2019s support chat feature and said he was told to make a post on the app\u2019s GitHub. But he didn\u2019t feel comfortable doing that.<\/span><\/p>\n He said he then emailed MetaMask support directly, but got an unhelpful response: \u201cWe are experiencing extremely high volumes of inquiries. In an effort to improve our efficiencies on responding to support inquiries, direct emails to support are no longer enabled.\u201d<\/span><\/p>\n At that point, Khazaradze said he gave up trying to let the team know about the vulnerability and reached out to <\/span>Decrypt<\/span><\/i>.\u00a0<\/span><\/p>\n Herman Junge, a member of MetaMask\u2019s security team, told <\/span>Decrypt<\/span><\/i> that the app\u2019s support team wouldn\u2019t have wanted an iframe vulnerability listed on GitHub.<\/span><\/p>\n \u201cAt MetaMask, we take iframe reports seriously and give them due procedure through our bug bounty program at HackerOne. If a security researcher sends their report using another instance, we invite them to go to HackerOne,\u201d he said in an email. \u201cWe don\u2019t have in our records any message where we encourage researchers to post an iframe report into GitHub.\u201d<\/span><\/p>\n In an email conversation with MetaMask public relations, <\/span>Decrypt<\/span><\/i> described the vulnerability that the Aurox team claims to have found. In his emailed statement, Junge didn\u2019t acknowledge the purported vulnerability or say that MetaMask would be investigating the issue.<\/span><\/p>\n He did, however, say that publishing an active security issue before the app\u2019s team has a chance to address it can \u201cput innocent people at unnecessary risk.\u201d But so far, the language used in its support messages doesn\u2019t mention anything about HackerOne, where MetaMask launched a <\/span>bug bounty program<\/span><\/a> in June.<\/span><\/p>\n In the security community, it\u2019s professional courtesy to privately notify a company about a vulnerability for the same reason it\u2019s courteous not to shout that someone\u2019s fly is down. The discretion gives them a chance to fix it before other people notice.\u00a0<\/span><\/p>\n Reporting vulnerabilities discreetly keeps the information away from people who would exploit it before developers have had a chance to implement a fix. But when the reporting process is confusing or the recipient seems unresponsive, vulnerabilities go public before there\u2019s a fix, usually in an effort to force the team to act.<\/span><\/p>\n Janine Romer, a privacy researcher and investigative journalist, said she\u2019s seen lots of instances of people trying discreet lines of communication first and then switching to Twitter to report vulnerabilities.<\/span><\/p>\n \u201cSimilar things happen with Bitcoin wallets where the only way sometimes to get attention for stuff is to just tweet at people, which is bad. That should not be the way that things are handled,\u201d she told <\/span>Decrypt<\/span><\/i>. \u201cIt should also be possible to report things privately and not have to make a public spectacle. But then it kind of incentivizes people to make a public spectacle because nobody’s answering privately.\u201d<\/span><\/p>\n In January, Alex Lupascu, co-founder of Omnia Protocol, said <\/span>on Twitter<\/span><\/a> that he and his team found a \u201ccritical privacy vulnerability\u201d in MetaMask and linked to a <\/span>blog post<\/span><\/a> describing how an attacker could exploit it.<\/span><\/p>\n Harry Denley, a security researcher who works with MetaMask, <\/span>replied to ask<\/span><\/a> if the team had been notified or said they were working on it. Lupascu said they had, but that he first made his report five months ago and the vulnerability was still exploitable.<\/span><\/p>\n Eventually MetaMask co-founder Dan Finlay weighed in.<\/span><\/p>\n \u201cYeah, I think this issue has been widely known for a long time, so I don\u2019t think a disclosure period applies,\u201d he wrote on Twitter. \u201cAlex is right to call us out for not addressing it sooner. Starting to work on it now. Thanks for the kick in the pants, and sorry we needed it.\u201d<\/span><\/p>\n A couple months later, the aforementioned bug bounty program was launched. It\u2019s not as though all MetaMask vulnerability reports go unaddressed. Web3 security firm Halborn Security reported a vulnerability that could impact MetaMask users in June and got a <\/span>hat tip<\/span><\/a> from the MetaMask Twitter account for it.<\/span><\/p>\n David Schwed, Halborn\u2019s chief operating officer, said he found the MetaMask team responsive. They addressed and patched the vulnerability. Even so, he said users should be cautious about keeping any substantial funds in a software wallet.<\/span><\/p>\n \u201cI wouldn\u2019t necessarily take a shot at MetaMask. MetaMask serves a certain purpose right now. Now if I was an organization, I wouldn\u2019t store hundreds of millions of dollars on MetaMask, but I probably wouldn\u2019t store it on any particular wallet,\u201d he said. \u201cI would diversify my holdings and self-custody and use other security practices to manage my risk.\u201d<\/span><\/p>\n For him, the safest and most responsible way to use software wallets is to keep private keys on a hardware security module, or HSM. Two of the most popular hardware wallets, as they\u2019re also known in crypto, include the Ledger and Trezor.<\/span><\/p>\n \u201cAt the end of the day, that\u2019s what\u2019s actually storing my private keys and that\u2019s where the signing of the transactions is actually happening,\u201d Schwed said. \u201cAnd your [browser] wallet is really just a mechanism to broadcast out to the chain and construct the transaction.\u201d<\/span><\/p>\n The problem is that not everybody uses browser extension wallets that way. But there have been efforts to address it, both by giving developers better guidance on how to build security into their apps and teaching users how to keep their funds safe.\u00a0<\/span><\/p>\n That\u2019s where the CryptoCurrency Certification Consortium, or C4, comes in. It\u2019s the same organization that created the Bitcoin and Ethereum professional certifications. Fun fact: Ethereum creator Vitalik Buterin helped write the Certified Bitcoin Professional exam before he invented Ethereum.\u00a0<\/span><\/p>\n Jessica Levesque, executive director at C4, said there\u2019s still a big knowledge gap for new crypto adopters.<\/span><\/p>\n \u201cWhat\u2019s kind of scary about this is that people who have been around crypto for a long time probably are like, it\u2019s pretty clear you shouldn\u2019t keep a lot of money on MetaMask or any hot wallet. Move it off,\u201d she told <\/span>Decrypt<\/span><\/i>. \u201cBut most of us, when we first started, we didn\u2019t know that.\u201d<\/span><\/p>\n On the other end of things, there\u2019s been a prevailing assumption that open-source projects are more secure because their code is available for review by independent researchers.\u00a0<\/span><\/p>\n In fact, on Wednesday, in light of the Solana wallet hack, a developer who goes by fubuloubu on Twitter, garnered a lot of attention for saying it\u2019s \u201c<\/span>irresponsible not to have open source code in crypto<\/span><\/a>.\u201d<\/span><\/p>\n Noah Buxton, who leads Armanino\u2019s blockchain and digital asset practice and sits on C4\u2019s CryptoCurrency Security Standard Committee, said the low visibility of smaller projects or offers to pay bug bounties in native tokens can act as a disincentive for researchers to spend their time looking at them.<\/span><\/p>\n \u201cIn open source, the attention of developers is driven largely by either notoriety or some monetization,\u201d he said. \u201cWhy spend time looking for bugs on a new decentralized exchange when there\u2019s very little liquidity, the governance token isn\u2019t worth anything and the team wants to pay you in the governance token for a bounty. I would rather spend time on Ethereum on another layer 1.\u201d<\/span><\/p>\nUnanswered messages<\/h2>\n
MetaMask responds<\/h2>\n
Resorting to ‘spectacle’<\/h2>\n
Safely using software wallets<\/h2>\n
Closing the gap<\/h2>\n