1 Executive Summary
This report presents the results of our engagement with MetaMask to review their Metamask MobyMask MVP Snaps code base.
The review was conducted over one week, from April 24, 2023 to April 28, 2023, by
Bernhard Gomig. A total of 5 person-days were spent.
Over all, no issue was identified within the MobyMask
code. However one Major
issue was identified within the remaining code base that was not in scope of this assessment. Due to the criticality of this vulnerability, this issue was mentioned for completeness. Further details can be found can be found here
2 Scope
The following files were in scope of this security assessment:
- code/packages/snap/src/index.ts
39bddb55bd581ca10fa995edc5bbc7d40acbdb3a
- code/packages/snap/src/insights.ts
af70ec186681474bb46b32584797d066f1ec9d8d
However, parts of the whole repository with the commit hash f3236b21ea5e5bb341c6b64857ebfc8ab93038e4 to get a better understanding of the underlying snaps interaction.
2.1 Objectives
Together with the MetaMask MobyMask Snap team, we identified the following priorities for our review:
- Ensure that the system is implemented consistently with the intended functionality, and without unintended edge cases.
- Identify vulnerabilities and provide recommendations how to remediate them.
3 Findings
Issues are assigned a severity reflecting the risk they pose to the system and business scenarios. The rating is an enriched variant of the CVSS scoring system, taking additional information about the system, its intended use case scenarios, and the trust relationships - as outlined by the client - into account. For reference, the generic CVSSv2 Base Score is provided along with every issue.
Each issue has an assigned severity:
- Critical issues have a significant impact on Confidentiality, Integrity, or Availability of systems or data. Accessibility is unrestricted or negligible.
- Major issues have a significant impact on Confidentiality, Integrity, or Availability of systems or data. Accessibility of the vulnerability is more restricted.
- Medium issues have a partial impact on Confidentiality, Integrity, or Availability of systems or data. Accessibility of the vulnerability is more restricted or requires additional information.
- Minor issues have limited or no direct impact on Confidentiality, Integrity, or Availability of systems or data.
3.1 Dependencies With Publicly Known Vulnerabilities (Out of Scope) Major
3.2 Description
The snaps project defines a dependency (@truffle/[email protected]
within the yarn.lock
file vulnerable to publicly known weaknesses rated as High
or Medium
in the CVSS scoring system. It should be noted that the identified areas were not directly in the scope of the code review and are listed for the sake of completeness.
The following @truffle/[email protected]
weaknesses were identified:
- Denial of Service
decode-uri-element
CVE-2022-38900 (CVSSv3 7.5) - Regular Expression Denial of Service
-
http-cache-semantics
CVE-2022-25881(CVSSv3 7.5)
-
cookiejar
CVE-2022-25901(CVSSv3 7.5 - 5.3)
-
ws
CVE-2021-32640 (CVSSv3 5.3)
- Server Request Forgery
request
CVE-2023-28155 (CVSSv3 6.5) - Open Redirect
got
CVE-2022-33987 (CVSSv3 5.3) - Insecure Credential Storage
web3
SNYK-JS-WEB3-174533 (CVSSv3 3.3)
3.3 Recommendation
Review all identified dependencies and update the newest, stable version where applicable. Additionally, review the current patch policy to ensure the components are updated as soon as a fix exists. For the identified vulnerable components, the following versions provide fixes:
[email protected]
[email protected]
[email protected]
[email protected], @12.1.0
[email protected], @6.2.2, @5.2.3
Appendix 1 - Disclosure
ConsenSys Diligence (“CD”) typically receives compensation from one or more clients (the “Clients”) for performing the analysis contained in these reports (the “Reports”). The Reports may be distributed through other means, including via ConsenSys publications and other distributions.
The Reports are not an endorsement or indictment of any particular project or team, and the Reports do not guarantee the security of any particular project. This Report does not consider, and should not be interpreted as considering or having any bearing on, the potential economics of a token, token sale or any other product, service or other asset. Cryptographic tokens are emergent technologies and carry with them high levels of technical risk and uncertainty. No Report provides any warranty or representation to any Third-Party in any respect, including regarding the bugfree nature of code, the business model or proprietors of any such business model, and the legal compliance of any such business. No third party should rely on the Reports in any way, including for the purpose of making any decisions to buy or sell any token, product, service or other asset. Specifically, for the avoidance of doubt, this Report does not constitute investment advice, is not intended to be relied upon as investment advice, is not an endorsement of this project or team, and it is not a guarantee as to the absolute security of the project. CD owes no duty to any Third-Party by virtue of publishing these Reports.
PURPOSE OF REPORTS The Reports and the analysis described therein are created solely for Clients and published with their consent. The scope of our review is limited to a review of code and only the code we note as being within the scope of our review within this report. Any Solidity code itself presents unique and unquantifiable risks as the Solidity language itself remains under development and is subject to unknown risks and flaws. The review does not extend to the compiler layer, or any other areas beyond specified code that could present security risks. Cryptographic tokens are emergent technologies and carry with them high levels of technical risk and uncertainty. In some instances, we may perform penetration testing or infrastructure assessments depending on the scope of the particular engagement.
CD makes the Reports available to parties other than the Clients (i.e., “third parties”) – on its website. CD hopes that by making these analyses publicly available, it can help the blockchain ecosystem develop technical best practices in this rapidly evolving area of innovation.
LINKS TO OTHER WEB SITES FROM THIS WEB SITE You may, through hypertext or other computer links, gain access to web sites operated by persons other than ConsenSys and CD. Such hyperlinks are provided for your reference and convenience only, and are the exclusive responsibility of such web sites’ owners. You agree that ConsenSys and CD are not responsible for the content or operation of such Web sites, and that ConsenSys and CD shall have no liability to you or any other person or entity for the use of third party Web sites. Except as described below, a hyperlink from this web Site to another web site does not imply or mean that ConsenSys and CD endorses the content on that Web site or the operator or operations of that site. You are solely responsible for determining the extent to which you may use any content at any other web sites to which you link from the Reports. ConsenSys and CD assumes no responsibility for the use of third party software on the Web Site and shall have no liability whatsoever to any person or entity for the accuracy or completeness of any outcome generated by such software.
TIMELINESS OF CONTENT The content contained in the Reports is current as of the date appearing on the Report and is subject to change without notice. Unless indicated otherwise, by ConsenSys and CD.