MetaMask Program Statistics

View program

12 total issues disclosed

$2,600 total paid publicly

Most disclosed (2 disclosures) — Business Logic Errors

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Authorization Bypass in Starknet Snap via enableAuthorize parameter leads to unauthorized transaction signing Business Logic Errors aszx87410 Medium 2026-03-13
total Failure of password protection while extracting seed phrase! increases attack surface area for scammers Authentication Bypass Using an Alternate Path or Channel bug_vs_me Medium 2025-07-31
Missing ^ Line Beginner Leads to Origin Spoofing None supplied pkkr High 2025-05-20
Missing Line Terminator on allowedOrigins enables origin spoofing Improper Access Control - Generic pkkr High 2024-10-29
MetaMask Browser (on Android) does not enforce Content-Security-Policy header Cross-site Scripting (XSS) - Reflected renniepak Medium 2024-08-27
Arbitrary file write triggered by deeplink abuse - MetaMask Android Business Logic Errors hackerontwowheels Medium 2023-07-07
MetaMask Browser URL and Transaction Origin Spoofing - Metamask wallet Android & Metamask wallet iOS Cross-site Scripting (XSS) - Stored renekroka High 2023-07-04
Possible to spoof Origin in "Connected Sites" User Interface (UI) Misrepresentation of Critical Information renniepak Low 2023-04-13
Bypass parsing of transaction data, users on the phishing site will transfer/approve ERC20 tokens without being alerted Improper Input Validation ronnyx2017 Low 2023-04-10
CSV Injection at https://assets-paris-demo.codefi.network/ Command Injection - Generic 0xjackal Medium 2023-01-04
Sub-Domain Takeover at http://www.codefi.consensys.net/ Improper Access Control - Generic krrish_hackk Medium 2022-12-16
Public Postman Api Collection Leaks Internal access to https://assets-paris-dev.codefi.network/ Insecure Storage of Sensitive Information polem4rch Medium 2022-05-14