Connect with us

Solana

How Secure Is the Ethereum Sitting in Your MetaMask Wallet?

Cashverse

Published

1 year ago

on

It’s been an unrelenting week for MetaMask developers. 

Reacting to the news that $4.5 million worth of funds had been drained from thousands of software wallets on Solana, the team behind MetaMask—far and away the most popular software wallet for Ethereum and Ethereum-compatible networks—combed through the wallet’s codebase to make sure users would not be affected by a similar hack.

That kind of fire drill has been repeated elsewhere. On reports that the Near Wallet might have a vulnerability similar to the hacked Solana wallets, the protocol’s Twitter account said Thursday night that it’s “highly recommended” users change their security settings.

Scanning for vulnerabilities after there’s been an exploit is one way that developers handle security. Ideally, they find them before they’ve been exploited. MetaMask has said previously that it’s working to reorganize its teams to better respond to security issues, but there are signs that it’s struggling to keep up.

Unanswered messages

In a recent example, Aurox CEO Giorgi Khazaradze said he found MetaMask’s team to be unresponsive when he tried to tip them off about a vulnerability in June.

He told Decrypt that his team was looking at MetaMask’s codebase—which is open source and viewable in its GitHub repository—because they’re building their own browser extension wallet. 

The wallet has been announced, but not yet launched. When it does, it’ll be competing with MetaMask. To put it plainly: That means Khazaradze stands to benefit from casting doubt on what is, far and away, the biggest competitor for his new product.

After all, ConsenSys, the company that develops MetaMask (and, full disclosure, an investor in Decrypt), just closed a $450 million Series D round at a $7 billion valuation—helped in large part by the rate at which MetaMask has been attracting new users. As of March, MetaMask had more than 30 million monthly active users, a 42% increase over the 21 million it had in November 2021.

Khazaradze said his team realized that it would be possible to use an HTML element called an inline frame, or iframe, to add a hidden decentralized app, or dapp, to a webpage.

That would mean an attacker could hypothetically create a page that looks like a legit application, but connects to another that the MetaMask user never sees. So instead of swapping some Ethereum for coins to support a new project or buying an NFT, the user could unwittingly be sending their crypto straight to a thief’s wallet.

This kind of vulnerability could take advantage of the fact that MetaMask automatically prompts users to connect to a dapp if it detects one on a webpage. It’s standard behavior for the browser extension version of MetaMask. Outside the context of vulnerabilities and attackers, it’s a feature that puts fewer clicks between a user and their ability to interact with dapps. 

It’s similar, but not quite the same, as a clickjacking vulnerability that MetaMask paid a $120,000 bounty for in June. With that, an attacker hides MetaMask itself on a webpage and tricks the user into revealing private data or transferring funds.

“That’s a different vulnerability. That was within MetaMask itself. Basically, you could iframe MetaMask and then clickjack people,” Khazaradze said. “Whereas the one we found is iframing dapps. The wallet automatically connects to those dapps, which can allow an attacker to trick you to perform specific transactions.”

Khazaradze said he attempted to contact MetaMask about the vulnerability on June 27. First he tried the company’s support chat feature and said he was told to make a post on the app’s GitHub. But he didn’t feel comfortable doing that.

He said he then emailed MetaMask support directly, but got an unhelpful response: “We are experiencing extremely high volumes of inquiries. In an effort to improve our efficiencies on responding to support inquiries, direct emails to support are no longer enabled.”

At that point, Khazaradze said he gave up trying to let the team know about the vulnerability and reached out to Decrypt

MetaMask responds

Herman Junge, a member of MetaMask’s security team, told Decrypt that the app’s support team wouldn’t have wanted an iframe vulnerability listed on GitHub.

“At MetaMask, we take iframe reports seriously and give them due procedure through our bug bounty program at HackerOne. If a security researcher sends their report using another instance, we invite them to go to HackerOne,” he said in an email. “We don’t have in our records any message where we encourage researchers to post an iframe report into GitHub.”

In an email conversation with MetaMask public relations, Decrypt described the vulnerability that the Aurox team claims to have found. In his emailed statement, Junge didn’t acknowledge the purported vulnerability or say that MetaMask would be investigating the issue.

He did, however, say that publishing an active security issue before the app’s team has a chance to address it can “put innocent people at unnecessary risk.” But so far, the language used in its support messages doesn’t mention anything about HackerOne, where MetaMask launched a bug bounty program in June.

Resorting to ‘spectacle’

In the security community, it’s professional courtesy to privately notify a company about a vulnerability for the same reason it’s courteous not to shout that someone’s fly is down. The discretion gives them a chance to fix it before other people notice. 

Reporting vulnerabilities discreetly keeps the information away from people who would exploit it before developers have had a chance to implement a fix. But when the reporting process is confusing or the recipient seems unresponsive, vulnerabilities go public before there’s a fix, usually in an effort to force the team to act.

Janine Romer, a privacy researcher and investigative journalist, said she’s seen lots of instances of people trying discreet lines of communication first and then switching to Twitter to report vulnerabilities.

“Similar things happen with Bitcoin wallets where the only way sometimes to get attention for stuff is to just tweet at people, which is bad. That should not be the way that things are handled,” she told Decrypt. “It should also be possible to report things privately and not have to make a public spectacle. But then it kind of incentivizes people to make a public spectacle because nobody’s answering privately.”

In January, Alex Lupascu, co-founder of Omnia Protocol, said on Twitter that he and his team found a “critical privacy vulnerability” in MetaMask and linked to a blog post describing how an attacker could exploit it.

Harry Denley, a security researcher who works with MetaMask, replied to ask if the team had been notified or said they were working on it. Lupascu said they had, but that he first made his report five months ago and the vulnerability was still exploitable.

Eventually MetaMask co-founder Dan Finlay weighed in.

“Yeah, I think this issue has been widely known for a long time, so I don’t think a disclosure period applies,” he wrote on Twitter. “Alex is right to call us out for not addressing it sooner. Starting to work on it now. Thanks for the kick in the pants, and sorry we needed it.”

Safely using software wallets

A couple months later, the aforementioned bug bounty program was launched. It’s not as though all MetaMask vulnerability reports go unaddressed. Web3 security firm Halborn Security reported a vulnerability that could impact MetaMask users in June and got a hat tip from the MetaMask Twitter account for it.

David Schwed, Halborn’s chief operating officer, said he found the MetaMask team responsive. They addressed and patched the vulnerability. Even so, he said users should be cautious about keeping any substantial funds in a software wallet.

“I wouldn’t necessarily take a shot at MetaMask. MetaMask serves a certain purpose right now. Now if I was an organization, I wouldn’t store hundreds of millions of dollars on MetaMask, but I probably wouldn’t store it on any particular wallet,” he said. “I would diversify my holdings and self-custody and use other security practices to manage my risk.”

For him, the safest and most responsible way to use software wallets is to keep private keys on a hardware security module, or HSM. Two of the most popular hardware wallets, as they’re also known in crypto, include the Ledger and Trezor.

“At the end of the day, that’s what’s actually storing my private keys and that’s where the signing of the transactions is actually happening,” Schwed said. “And your [browser] wallet is really just a mechanism to broadcast out to the chain and construct the transaction.”

Closing the gap

The problem is that not everybody uses browser extension wallets that way. But there have been efforts to address it, both by giving developers better guidance on how to build security into their apps and teaching users how to keep their funds safe. 

That’s where the CryptoCurrency Certification Consortium, or C4, comes in. It’s the same organization that created the Bitcoin and Ethereum professional certifications. Fun fact: Ethereum creator Vitalik Buterin helped write the Certified Bitcoin Professional exam before he invented Ethereum. 

Jessica Levesque, executive director at C4, said there’s still a big knowledge gap for new crypto adopters.

“What’s kind of scary about this is that people who have been around crypto for a long time probably are like, it’s pretty clear you shouldn’t keep a lot of money on MetaMask or any hot wallet. Move it off,” she told Decrypt. “But most of us, when we first started, we didn’t know that.”

On the other end of things, there’s been a prevailing assumption that open-source projects are more secure because their code is available for review by independent researchers. 

In fact, on Wednesday, in light of the Solana wallet hack, a developer who goes by fubuloubu on Twitter, garnered a lot of attention for saying it’s “irresponsible not to have open source code in crypto.”

Noah Buxton, who leads Armanino’s blockchain and digital asset practice and sits on C4’s CryptoCurrency Security Standard Committee, said the low visibility of smaller projects or offers to pay bug bounties in native tokens can act as a disincentive for researchers to spend their time looking at them.

“In open source, the attention of developers is driven largely by either notoriety or some monetization,” he said. “Why spend time looking for bugs on a new decentralized exchange when there’s very little liquidity, the governance token isn’t worth anything and the team wants to pay you in the governance token for a bounty. I would rather spend time on Ethereum on another layer 1.”

Stay on top of crypto news, get daily updates in your inbox.

Source link

Related Topics:
Continue Reading

Solana

Tulip Protocol Officially Integrates Chainlink on Solana Mainnet

Cashverse

Published

1 year ago

on

August 9, 2022

By

Tulip Protocol Officially Integrates Chainlink on Solana Mainnet

Today, Tulip Protocol made the announcement that they have integrated Chainlink Price Feeds in order to better secure their yield aggregating platform that is running on the Solana mainnet. The team had previously stated their intention to integrate Chainlink Price Feeds, and at this point, the connection has been completely put into action. Chainlink is the premier decentralized oracle network in the world, safeguarding tens of billions of dollars in smart contracts. It has diversified its offerings across other blockchains, notably Solana, Fantom, Polygon, BNB Chain, and others.

In a recent blog post, the team behind the Tulip Protocol explained that they had integrated Chainlink to provide users with more confidence that leveraged positions will be liquidated equitably using extremely accurate price data and that the protocol will continue to be completely collateralized at all times.

According to Tomasz Wojewoda, Head of Global Sales at Chainlink Labs:

“We’re pleased that Tulip Protocol has integrated Chainlink Price Feeds on Solana, helping secure its yield aggregation protocol with highly robust, decentralized market data. With the high-throughput performance of Solana and the strong security guarantees of the Chainlink Network, Tulip Protocol is able to empower users with a performant and secure platform.”

Tulip Protocol Seeks To Take Advantage Of Solana

Tulip Protocol brings together lenders who receive a return on their deposits and borrowers who are interested in gaining access to leverage. Users who initiate leverage positions are responsible for maintaining a loan-to-value (LTV) ratio that has been previously established. The Tulip Protocol then uses the asset price data that is provided by Chainlink Price Feeds to verify that this ratio is accurate. If the value of the collateral falls below the threshold that was established by the protocol, then their position will be immediately liquidated to assist in guaranteeing that the lenders will be repaid.

Tulip Protocol intends to capitalize on Solana by giving users the ability to more regularly reinvest their income and grow their assets without having to pay exorbitant amounts of gas expenses. Chainlink oracles can now be natively integrated on Solana, making it possible for Solana-based applications to benefit from enhanced levels of security and transparency. Yesterday, OpenOcean made the announcement that they would be integrating Chainlink Price Feeds in order to help secure the limited order functionality on many chains. These chains include Avalanche, Ethereum, Polygon, Fantom, and BNB Chain.

According to Senx, Co-Founder of Tulip Protocol:

 “We’re excited to be using Chainlink Price Feeds on Solana to help secure our yield aggregation platform. By leveraging the most secure and reliable on-chain data available, we’re able to provide our lenders and borrowers with greater assurances that liquidations are based on accurate price data, and the protocol will maintain a healthy loan-to-value ratio through all market conditions.” 

Allowing Stakers To Benefit From Higher APYs

Natives of the blockchain as well as newcomers to the technology are beginning to understand that decentralization does not necessarily equate to a secure platform. Given that Web3 services are currently disclosing their susceptibilities to attacks from both within and outside the network, further initiatives should be undertaken to improve the safety of user assets. Fortunately, a growing number of blockchain businesses are beginning to add various levels of security to their services in order to solidify the trust of their existing customers and attract additional investors in the near and distant future.

Tulip Protocol is the very first yield aggregation platform to be built on Solana, and it features auto-compounding vault techniques. The dApp was developed to make use of Solana’s blockchain, which has a low cost and high efficiency, hence enabling the vault techniques to compound frequently. Stakeholders are able to reap the benefits of greater APYs as a result, without the need for active management.

Source link

Continue Reading

Solana

Is your SOL safe? What we know about the Solana hack

Cashverse

Published

1 year ago

on

August 9, 2022

By

On this week’s episode of “The Market Report,” Cointelegraph’s resident experts discuss the latest updates concerning the recent Solana (SOL) hack.

To kick things off, we broke down the latest news in the markets this week:

Bitcoin realized price bands form key resistance as bulls lose $24K, significant whale activity between $22,000 and $24,800 adds to the complexity of the current spot market setup. Bitcoin (BTC) consolidated lower on Aug. 9 after familiar resistance preserved a multi-month trading range. When will we finally break out of this price range and make the move towards $30K?

Institutions flocking to Ethereum for 7 straight weeks as Merge nears: Report, “Greater clarity” around the Merge has driven institutional inflows into Ethereum products, according to a CoinShares report. Is the ETH merge finally around the corner and will it bring new all time highs to ETH or has the price already been factored into the current price?

Circle freezes blacklisted Tornado Cash smart contract addresses, Crypto data aggregator Dune Analytics said that, on Monday, Circle, the issuer of the USD Coin (USDC) stablecoin, froze over 75,000 USDC worth of funds linked to the 44 Tornado Cash addresses sanctioned by the U.S. Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons (SDN) list. Could this mark the end for Tornado Cash or is there a way they can redeem themselves?

Next up is a new segment called “Quick Crypto Tips,” which aims to give newcomers to the crypto industry quick and easy tips to get the most out of their experience. This week’s tip: Have some funds ready to buy further downturns.

Market expert Marcel Pechman then carefully examines the Bitcoin and Ether (ETH) markets. Are the current market conditions bullish or bearish? What is the outlook for the next few months? Pechman is here to break it down. The experts also go over some markets news to bring you up to date on the latest regarding the top two cryptocurrencies.

After Marcel’s market analysis, our resident experts discuss whether your SOL is safe and the latest updates on the Solana hack. We also discuss why the network has been victim to so many hacks and downtimes. What exactly do these exploits mean for the Solana platform and if you should be worried.

Lastly, we’ve got insights from Cointelegraph Markets Pro, a platform for crypto traders who want to stay one step ahead of the market. The analysts use Cointelegraph Markets Pro to identify two altcoins that stood out this week: Radicle’s RAD and DigiByte’s DGB.

Do you have a question about a coin or topic not covered here? Don’t worry. Join the YouTube chat room, and write your questions there. The person with the most interesting comment or question will be given a 1 month free subscription to markets Pro worth $100!

The Market Report streams live every Tuesday at 12:00 pm ET (4:00 pm UTC), so be sure to head on over to Cointelegraph’s YouTube page and smash those like and subscribe buttons for all our future videos and updates.

Source link

Continue Reading

Solana

Web3-Based ZepetoX to Build on Solana

Cashverse

Published

1 year ago

on

August 9, 2022

By

Web3-Based ZepetoX to Build on Solana

Singapore, Singapore , Aug. 09, 2022 (GLOBE NEWSWIRE) — Today, the ZepetoX team (ZTX, ZepetoX.io) announced its foray into the web3 space, sharing its vision to build an open world that empowers creators and communities to build, play and earn.

ZepetoX is the crypto metaverse initiative jointly incubated by ZEPETO – Asia’s largest metaverse platform with over 320 million registered users – alongside leading global blockchain organizations including Jump Crypto.

As the sole blockchain project comprehensively backed by ZEPETO, ZepetoX will have exclusive ties to ZEPETO in terms of IP including technological, design, and content assets as well as bridges to facilitate user onboarding between the two platforms. ZepetoX’s blockchain development efforts will be advised by Jump.

“ZepetoX is our official venture into the blockchain industry. We feel that web3 opportunities should be advanced through a crypto-native approach, which is why we are excited to have Jump as a contributor to developing a new platform that would have exclusive connections to ZEPETO. Overall, we believe that ZepetoX can build the ideal web3 platform to not only bring blockchain to our existing users but also to expand our footprint in the blockchain space through various disruptive initiatives,” said Daewook Kim, CEO of Naver Z – the operating entity of ZEPETO.

“We are excited to support ZepetoX’s efforts aimed at onboarding new audiences into the rapidly growing crypto space. ZEPETO’s expertise and technological know-hows accumulated over the past years from building an immersive social platform will serve as a springboard for ZepetoX,” said Saurabh Sharma, Partner at Jump Crypto.

Building on the Solana network, ZepetoX will offer a web-based 3D open world with varying levels of gamification integrated as well as opportunities for users to monetize via ownership of digital assets and social interaction. Ultimately, ZepetoX aims to empower self-expression through customizable avatars and lands that can be equipped with NFTs from a rich collection of assets created by diverse creators, DAOs, or communities.

“I am thrilled to see IP powerhouses like ZepetoX choosing to build their metaverse on Solana,” said Anatoly Yakovenko, Co-Founder of Solana. “Projects like ZepetoX create new pathways for onboarding millions of users to web3.”

“Our global team brings a depth of crypto native experiences and our goal is to build on the foundation of ZEPETO to spearhead the adoption of blockchain among metaverse users, developers, and creators,” said co-CEO of ZepetoX, Chris Chang.

In the coming months, ZepetoX will launch its first land sale. The lands will be tradable on the ZepetoX marketplace, which will feature a variety of different NFTs as the open world project evolves. Further details on the sale will be available on the ZepetoX website in the coming weeks.

# # #

About ZepetoX: ZepetoX (ZTX) is a web3 company building an immersive content-driven platform for users to create, trade digital assets and enjoy social interaction. Founded in 2022, ZepetoX is the blockchain initiative of ZEPETO, widely regarded as the largest Asia-based metaverse platform boasting over 320 million lifetime users with over 2.5 billion virtual fashion items sold.

Contacts:

Vera: vera@ztx.foundation

News Via KISS PR Crypto Press Release Distribution Media Contact az@kisspr.com

Source link

Continue Reading

Trending

Copyright © 2022 CASHVerse LLC.