MetaMask equips you with a key vault, secure login, token wallet, and token exchange — everything you need to manage your digital assets! MetaMask provides the simplest yet most secure way to connect to blockchain-based applications. You are always in control when interacting on the new decentralized web.
In an effort to assert our position of longevity in the Cryptocurrency space were proud to announce the initiation of a one time Ethereum airdrop to all of our verified users! We understand the trials, tribulations & uncertainty of the last year. Between social conflicts and a global pandemic we figured this would be the perfect moment to inspire our community and give something back…
On Saturday February 20th 2021, as many as 50 smart contract developers let hackers into their computers. These were sophisticated computer users who were using their skills to build secure smart contracts for others. These weren’t the first victims of this type of attack. By becoming more informed and with a new tool from MetaMask called @lavamoat/allow-scripts, this attack may soon be the last of its kind.
This attack was possible because NomicLabs’ , a library used for Ethereum smart contract development was hit with a targeted phishing attack. The attack was a type of phishing known as ‘typo squatting’, which relies on users mis-typing or being redirected to a namespace that looks very similar to the original intended name. The most common example of this appears with domains, where phishers purchase a lookalike domain to a genuine, usually trusted website. Often, the webpage will look and feel legitimate, but act with malicious intent. Here at MetaMask, we’re constantly at war with fake websites trying to impersonate us and siphon user credentials. It’s a well known problem, however this particular incident with HardHat caught our attention.
This type of attack isn’t new. In 2018, a Bitcoin wallet known as Copay was the victim of malicious code in a 3rd party package that stole users’ Bitcoin & Ethereum keys. The HardHat situation differs in that it was a completely separate package, whereas the Copay incident occurred from the widely-used event-stream. In both cases, the malicious actors targeted the projects’ dependency chains. These cases directly exemplify the double edged nature of open source distributed software.
How This Could’ve Been Avoided
From design to engineering and beyond, security is the core of everything we do at MetaMask. After all, MetaMask is a tool directly involved with people’s money. For a couple of years now, we’ve been working on a tool called LavaMoat. LavaMoat is a set of tools that protects projects from malicious code in the software supply chain. For the purpose of this write up, our primary focus will be on a recent tool we’ve created under LavaMoat called @lavamoat/allow-scripts.
@lavamoat/allow-scripts is a lightweight and simple tool that enables developers to explicitly allow the execution of npm lifecycle scripts such as preinstall & postinstall for a trusted package as needed. The philosophy is that 3rd party software doesn’t automatically get special permissions to run in an unsafe environment like the command line, they must be explicitly granted. This tool has the potential to drastically mitigate attacks like the HardHat incident. All it takes is a simple install and quick configuration.
If the affected developers who installed hardhat-waffle had first configured @lavamoat/allow-scripts on their projects, they would have been immune to its install script attack.
Increase the security of your project in 3 steps:
From now on, yarn or npm install runs with lifecycle scripts disabled by default, and only permits them according to this policy.
Any scripts from newly installed packages won’t execute. You may either manually whitelist the new package in package.json, or run yarn allow-scripts auto again. Running this command will not overwrite the config, it will only add to it.