It’s been an unrelenting week for MetaMask developers.
Reacting to the news that $4.5 million worth of funds had been drained from thousands of software wallets on Solana, the team behind MetaMask—far and away the most popular software wallet for Ethereum and Ethereum-compatible networks—combed through the wallet's codebase to make sure users would not be affected by a similar hack.
That kind of fire drill has been repeated elsewhere. On reports that the Near Wallet might have a vulnerability similar to the hacked Solana wallets, the protocol’s Twitter account said Thursday night that it’s “highly recommended” users change their security settings.
Scanning for vulnerabilities after there’s been an exploit is one way that developers handle security. Ideally, they find them before they’ve been exploited. MetaMask has said previously that it’s working to reorganize its teams to better respond to security issues, but there are signs that it’s struggling to keep up.
In a recent example, Aurox CEO Giorgi Khazaradze said he found MetaMask’s team to be unresponsive when he tried to tip them off about a vulnerability in June.
He told Decrypt that his team was looking at MetaMask’s codebase—which is open source and viewable in its GitHub repository—because they’re building their own browser extension wallet.
The wallet has been announced, but not yet launched. When it does, it’ll be competing with MetaMask. To put it plainly: That means Khazaradze stands to benefit from casting doubt on what is, far and away, the biggest competitor for his new product.
After all, ConsenSys, the company that develops MetaMask, just closed a $450 million Series D round at a $7 billion valuation—helped in large part by the rate at which MetaMask has been attracting new users. (Disclosure: ConsenSys Mesh is an investor in Decrypt.) As of March, MetaMask had more than 30 million monthly active users, a 42% increase over the 21 million it had in November 2021.
Khazaradze said his team realized that it would be possible to use an HTML element called an inline frame, or iframe, to add a hidden decentralized app, or dapp, to a webpage. There are lots of legitimate use cases for connecting MetaMask to a dapp running in an iframe, which has been possible since 2017. But it could also be used by an attacker.
That would mean an attacker could hypothetically create a page that looks like a legit application, but connects to another that the MetaMask user never sees. An attacker couldn’t iframe their malicious dapp onto a site they don’t control. But they could set up a site to look like one thing, such as a free NFT mint, and have it connect to something else entirely
This kind of vulnerability could take advantage of the fact that MetaMask automatically prompts users to connect to a dapp if it detects one on a webpage. It’s standard behavior for the browser extension version of MetaMask. Outside the context of vulnerabilities and attackers, it’s a feature that puts fewer clicks between a user and their ability to interact with dapps.
It’s similar, but not quite the same, as a clickjacking vulnerability that MetaMask paid a $120,000 bounty for in June. With that, an attacker hides MetaMask itself on a webpage and tricks the user into revealing private data or transferring funds.
“While the extension running within an iframe is considered a vulnerability (which was solved), the other way around, a dapp running within an iframe is a known feature, i.e. not a vulnerability,” a MetaMask spokesperson told Decrypt in an email after this story was initially published.
Khazaradze contends that there is a vulnerability around iframing dapps. "The wallet automatically connects to those dapps, which can allow an attacker to trick you to perform specific transactions,” he said.
Khazaradze said he attempted to contact MetaMask about the vulnerability on June 27. First he tried the company’s support chat feature and said he was told to contact the company’s developers through GitHub. But he didn’t feel comfortable doing that.
He said he then emailed MetaMask support directly, but got an unhelpful response: “We are experiencing extremely high volumes of inquiries. In an effort to improve our efficiencies on responding to support inquiries, direct emails to support are no longer enabled.”
At that point, Khazaradze said he gave up trying to let the team know about the vulnerability and reached out to Decrypt.
Herman Junge, a member of MetaMask’s security team, told Decrypt that the app’s support team wouldn’t have wanted an iframe vulnerability listed on GitHub.
“At MetaMask, we take iframe reports seriously and give them due procedure through our bug bounty program at HackerOne. If a security researcher sends their report using another instance, we invite them to go to HackerOne,” he said in an email. “We don’t have in our records any message where we encourage researchers to post an iframe report into GitHub.”
In an email conversation with MetaMask public relations, Decrypt described the vulnerability that the Aurox team claims to have found. In his emailed statement, Junge didn’t acknowledge the purported vulnerability or say that MetaMask would be investigating the issue.
He did, however, say that publishing an active security issue before the app’s team has a chance to address it can “put innocent people at unnecessary risk.” But so far, the language used in its support messages doesn’t mention anything about HackerOne, where MetaMask launched a bug bounty program in June.
Resorting to 'spectacle'
In the security community, it’s professional courtesy to privately notify a company about a vulnerability for the same reason it’s courteous not to shout that someone’s fly is down. The discretion gives them a chance to fix it before other people notice.
Reporting vulnerabilities discreetly keeps the information away from people who would exploit it before developers have had a chance to implement a fix. But when the reporting process is confusing or the recipient seems unresponsive, vulnerabilities go public before there’s a fix, usually in an effort to force the team to act.
Janine Romer, a privacy researcher and investigative journalist, said she’s seen lots of instances of people trying discreet lines of communication first and then switching to Twitter to report vulnerabilities.
“Similar things happen with Bitcoin wallets where the only way sometimes to get attention for stuff is to just tweet at people, which is bad. That should not be the way that things are handled,” she told Decrypt. “It should also be possible to report things privately and not have to make a public spectacle. But then it kind of incentivizes people to make a public spectacle because nobody's answering privately.”
In January, Alex Lupascu, co-founder of Omnia Protocol, said on Twitter that he and his team found a “critical privacy vulnerability” in MetaMask and linked to a blog post describing how an attacker could exploit it.
Harry Denley, a security researcher who now works with MetaMask, replied to ask if the team had been notified or said they were working on it. Lupascu said they had, but that he first made his report five months ago and the vulnerability was still exploitable.
Eventually MetaMask co-founder Dan Finlay weighed in.
“Yeah, I think this issue has been widely known for a long time, so I don’t think a disclosure period applies,” he wrote on Twitter. “Alex is right to call us out for not addressing it sooner. Starting to work on it now. Thanks for the kick in the pants, and sorry we needed it.”
Safely using software wallets
A couple months later, the aforementioned bug bounty program was launched. It’s not as though all MetaMask vulnerability reports go unaddressed. Web3 security firm Halborn Security reported a vulnerability that could impact MetaMask users in June and got a hat tip from the MetaMask Twitter account for it.
David Schwed, Halborn’s chief operating officer, said he found the MetaMask team responsive. They addressed and patched the vulnerability. Even so, he said users should be cautious about keeping any substantial funds in a software wallet.
“I wouldn’t necessarily take a shot at MetaMask. MetaMask serves a certain purpose right now. Now if I was an organization, I wouldn’t store hundreds of millions of dollars on MetaMask, but I probably wouldn’t store it on any particular wallet,” he said. “I would diversify my holdings and self-custody and use other security practices to manage my risk.”
For him, the safest and most responsible way to use software wallets is to keep private keys on a hardware security module, or HSM. Two of the most popular hardware wallets, as they’re also known in crypto, include the Ledger and Trezor.
“At the end of the day, that’s what’s actually storing my private keys and that’s where the signing of the transactions is actually happening,” Schwed said. “And your [browser] wallet is really just a mechanism to broadcast out to the chain and construct the transaction.”
Closing the gap
The problem is that not everybody uses browser extension wallets that way. But there have been efforts to address it, both by giving developers better guidance on how to build security into their apps and teaching users how to keep their funds safe.
That’s where the CryptoCurrency Certification Consortium, or C4, comes in. It’s the same organization that created the Bitcoin and Ethereum professional certifications. Fun fact: Ethereum creator Vitalik Buterin helped write the Certified Bitcoin Professional exam before he invented Ethereum.
Jessica Levesque, executive director at C4, said there’s still a big knowledge gap for new crypto adopters.
“What’s kind of scary about this is that people who have been around crypto for a long time probably are like, it’s pretty clear you shouldn’t keep a lot of money on MetaMask or any hot wallet. Move it off,” she told Decrypt. “But most of us, when we first started, we didn’t know that.”
On the other end of things, there’s been a prevailing assumption that open-source projects are more secure because their code is available for review by independent researchers.
In fact, on Wednesday, in light of the Solana wallet hack, a developer who goes by fubuloubu on Twitter, garnered a lot of attention for saying it’s “irresponsible not to have open source code in crypto.”
Noah Buxton, who leads Armanino’s blockchain and digital asset practice and sits on C4’s CryptoCurrency Security Standard Committee, said the low visibility of smaller projects or offers to pay bug bounties in native tokens can act as a disincentive for researchers to spend their time looking at them.
“In open source, the attention of developers is driven largely by either notoriety or some monetization,” he said. “Why spend time looking for bugs on a new decentralized exchange when there’s very little liquidity, the governance token isn’t worth anything and the team wants to pay you in the governance token for a bounty. I would rather spend time on Ethereum on another layer 1.”
Editor's note: This article was updated after publication to include responses and clarifications from a MetaMask spokesperson.