Ledger Addresses Connector Breach Affecting DApps
Ledger acted swiftly on Dec. 14 to counter a breach impacting decentralized applications (DApps) such as Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. The security incident involved Ledger’s connector, but the company quickly resolved the issue by substituting the compromised file with a genuine one within three hours.
Ledger advises users to ensure transaction authenticity by always verifying “Clear Sign,” stressing that Ledger’s screen displays genuine details. The company warns against discrepancies between Ledger’s device screen and the computer/phone screen during transactions.
SushiSwap’s CTO, Matthew Lilley, initially reported the issue, highlighting a compromised Web3 connector that allowed malicious code injection into various DApps. The Ledger library confirmed the compromise, indicating the insertion of the drainer account address in the vulnerable code.
🚨🚨🚨 RED ALERT 🚨🚨🚨:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023
Lilley attributed the ongoing vulnerability affecting multiple DApps to Ledger, alleging that Ledger’s content delivery network suffered a compromise, leading to the loading of compromised JavaScript.
The Ledger connector, a library managed by Ledger and widely utilized by numerous DApps, now contains a wallet drainer. While asset draining might not occur autonomously from a user’s account, prompts from browser wallets such as MetaMask could grant access to malicious actors.
Lilley cautioned users against employing DApps utilizing the Ledger connector, highlighting the vulnerability in the “connect-kit.” This isn’t an isolated incident but a widespread attack affecting multiple DApps.
The vulnerability with Ledger Connect Kit should be resolved now 🙏
This appears to have been an EVM-only exploit, but we can confirm Phantom users on dapps with compromised front-ends would have seen the proper warnings in our transaction preview.
— Phantom (@phantom) December 14, 2023
Hudson Jameson, vice president of Polygon Labs, emphasized that even after Ledger resolves the flawed code in its library, projects utilizing it must update before it’s secure to utilize DApps reliant on Ledger’s Web3 libraries.
The statement from Blockaid’s co-founder and CEO, Ido Ben-Natan, mentioned:
“Ledger users are not at risk if not transacting. It is not exploitable on prior approvals. Revoke.cash specifically is affected, so don’t interact with it. The number of impacted funds is hundreds of thousands of dollars over the past two hours. Many websites are still affected, and users are getting hit.”
Ledger recognized the flaw in its code and confirmed the removal of a malicious version of the Ledger Connect Kit. They assured that a legitimate version is currently being deployed to replace the compromised file.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
