Committee Grant #019 - Agoric

Project Description / Executive Summary As MetaMask expands its extensibility model and prepares to support more complex use cases across desktop and mobile, the need for hardened, standards-based security foundations is more urgent than ever. Agoric plays a critical role in securing MetaMask’s extensibility infrastructure, enabling its expanding ecosystem—including Snaps and LavaMoat—to operate safely at scale. Our work hardens the JavaScript runtime, improves compatibility across developer tooling, and drives the standardization of key security and communication protocols. Without this foundation, MetaMask would face heightened risk from supply chain attacks, unsafe third-party code execution, and inconsistent behavior across platforms—especially as LavaMoat extends to Android and deepens its plugin model. Agoric’s ongoing support allows MetaMask to confidently position itself as both extensible and secure, reinforcing its reputation as the most trusted wallet in Web3. This trust is a key brand asset, particularly as MetaMask’s user base grows and developers increasingly rely on the platform to build safe, reliable experiences.

Project Goals MetaMask is currently engaged in contributions to Agoric’s Hardened JavaScript foundation libraries to: - extend support for LavaMoat to React Native, - direct support for ECMAScript modules in LavaMoat, - increasing npm ecosystem compatibility for Hardened JavaScript, - bundling plugins (like Snaps), - communication between components (like next generation OCap Kernel Snaps), - standardization and implementation of OCapN capability transfer protocol, To further these efforts, Agoric seeks support to continue: - regular meetings with engineers on the MetaMask engineering team to support MetaMask’s Snaps, LavaMoat, OCap Kernel, and OCapN activities. - review of MetaMask’s contributions to the Hardened JavaScript ecosystem. - support for continuous integration testing of Hardened JavaScript foundations on modern browsers and the Hermes JavaScript engine for React Native. - timely production releases of shared software, no less frequently than once per month upon request. - advancing standards at ECMA TC-39 and specifically TG-3 that protect the existing language invariants that make Hardened JavaScript viable today and enshrine features of Hardened JavaScript in the JavaScript specification to increase the performance and ecosystem compatibility with LavaMoat and the Snaps execution environment. - providing timely incident management for vulnerability discovery in the Hardened JavaScript shim (SES) and supporting libraries and including MetaMask in the early incident response for responsibly disclosed vulnerabilities.

Target Milestones In addition to supporting MetaMask’s engineering activities, we intend to make progress on specific JavaScript standards initiatives at ECMA TC-39. In 2021, we organized a movement called Module Harmony that includes the bulk of the necessary features for a native implementation of Hardened JavaScript, and worked with our partners at Moddable to prove these proposals in their virtual machine. From this effort in 2025 we will seek to advance: - Virtual Modules from Stage 1 to 2.7 https://github.com/tc39/proposal-compartments/blob/master/0-module-and-module-source.md - Compare Strings by Unicode Code Point from to Stage 2 https://github.com/endojs/proposal-compare-strings-by-codepoint - Evaluators to Stage 1 https://github.com/tc39/proposal-compartments/blob/master/3-evaluator.md - Immutable ArrayBuffer from Stage 0 to 3 https://github.com/tc39/proposal-immutable-arraybuffer - Don’t Remember Panicking from Stage 1 to 2 https://github.com/tc39/proposal-oom-fails-fast/tree/master We will also support the advancement of proposals championed by other delegates that create progress for Hardened JavaScript. - Source Phase Imports from Stage 2.7 to 3 https://github.com/tc39/proposal-source-phase-imports - ESM Phase Imports from Stage 2.7 to 3 https://github.com/tc39/proposal-esm-phase-imports - Prohibition of additional private fields to non-extensible objects from Stage 0 to 1 https://github.com/syg/proposal-nonextensible-applies-to-private - Composites to Stage 1 https://github.com/acutmore/proposal-composites

Timeline / Path to Production No timeline. We provide support for MetaMasks’s engineering activities.

About Team Agoric is a world-class engineering organization with more than a century of collective experience in language-based security and the JavaScript language. Mark S. Miller was one of the architects of ECMAScript 5 in 2011, the first modern JavaScript specification. Mark consults directly with MetaMask and oversees Agoric’s Hardened JavaScript and related software. Kris Kowal serves as Agoric’s liaison to MetaMask engineers. Mathieu Hofman and Michael FIG support MetaMask’s security engineering activities. These engineers and scientists are active delegates to ECMA TC-39, the standards body for the JavaScript language (ECMAScript). Kris Kowal also serves as co-editor of pre-standardization of OCapN, a mutual interest of MetaMask, Agoric, and Spritely Institute, based on Mark S. Miller’s seminal E programming language. Our CEO, Dean Tribble, and Mark S. Miller invented Promises Pipelining. http://agoric.com/team

Team Size and Funding Status Agoric has enjoyed two previous grants over the last five years. For our 2021–2022 grant, we supported the development of Snaps. For our 2023–2024 grant of $500k, we delivered a prototype for MetaMask’s next generation Snaps.

Funding Request 500000

Budget Breakdown All of the above funds support the availability of Agoric engineering contributions that support MetaMask engagements including security incident response, standards efforts, design discussion, code reviews, testing, and training at the long-standing cadence described above. We estimate the use of funds as follows, subject to the needs of MetaMask and the evolving scope of collaboration: - ~$350K – Engineering contributions across shared libraries, extensibility infrastructure, and ongoing collaboration - ~$100K – Standards participation, testing, and cross-platform compatibility work - ~$50K – Security support, training, code review, project coordination, and release management

What specific software license does the grantee intend to publish under? Apache Software License v2

What is your/the team's legal status and vendor information? Agoric Systems Operating Company is a C Corporation, 100% owned by Agoric Systems, LLC which is a partnership with equity investors. Employees have profit units in the LLC. Both the OpCo and LLC are US-based entities.

Does the team agree to open source all code produced as a result of a successful grant application? Yes

Other Information / Relevant Links / Supporting Documents

• Hardened JavaScript https://hardenedjs.org/ - Agoric’s EndoJS including the Hardened JavaScript shim (ses) https://github.com/endojs/endo - ECMA TC-39: Specifying JavaScript https://tc39.es/ - Agoric’s Compartments proposal for JavaScript https://github.com/tc39/proposal-compartments - Module Harmony plan https://github.com/tc39/proposal-compartments/blob/master/GRAPH.md - OCapN capability transport protocol https://github.com/ocapn/ocapn/

Have you been referred to apply by a MetaMask team member/worked with us in the past? Please feel free to share your experience We’ve met with a cast of MetaMask engineers on a weekly cadence since 2020, including Aaron Davis, Dan Finlay, Erik Marks, Zbigniew Tenerowicz, Chris Hiller, Leo T. Marinen, Ryan Peters, and others over the years. Chip Morningstar on MetaMask’s OCap Kernel team originally participated in these engagements as an early engineer at Agoric.