#1 Supplier
in Australia
by over 6000 clients
Book A Free Consultation

Ledger Fixes Vulnerability Exploited by Several DApps

Ledger Addresses Connector Breach Affecting DApps

Ledger acted swiftly on Dec. 14 to counter a breach impacting decentralized applications (DApps) such as Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. The security incident involved Ledger’s connector, but the company quickly resolved the issue by substituting the compromised file with a genuine one within three hours.

Hacker with Anonymous Mask in Front of Computer Screens with Ledger Logo

Ledger advises users to ensure transaction authenticity by always verifying “Clear Sign,” stressing that Ledger’s screen displays genuine details. The company warns against discrepancies between Ledger’s device screen and the computer/phone screen during transactions.

SushiSwap’s CTO, Matthew Lilley, initially reported the issue, highlighting a compromised Web3 connector that allowed malicious code injection into various DApps. The Ledger library confirmed the compromise, indicating the insertion of the drainer account address in the vulnerable code.

Lilley attributed the ongoing vulnerability affecting multiple DApps to Ledger, alleging that Ledger’s content delivery network suffered a compromise, leading to the loading of compromised JavaScript.

The Ledger connector, a library managed by Ledger and widely utilized by numerous DApps, now contains a wallet drainer. While asset draining might not occur autonomously from a user’s account, prompts from browser wallets such as MetaMask could grant access to malicious actors.

Lilley cautioned users against employing DApps utilizing the Ledger connector, highlighting the vulnerability in the “connect-kit.” This isn’t an isolated incident but a widespread attack affecting multiple DApps.

Hudson Jameson, vice president of Polygon Labs, emphasized that even after Ledger resolves the flawed code in its library, projects utilizing it must update before it’s secure to utilize DApps reliant on Ledger’s Web3 libraries.

The statement from Blockaid’s co-founder and CEO, Ido Ben-Natan, mentioned:

“Ledger users are not at risk if not transacting. It is not exploitable on prior approvals. Revoke.cash specifically is affected, so don’t interact with it. The number of impacted funds is hundreds of thousands of dollars over the past two hours. Many websites are still affected, and users are getting hit.”

Ledger recognized the flaw in its code and confirmed the removal of a malicious version of the Ledger Connect Kit. They assured that a legitimate version is currently being deployed to replace the compromised file.

About the author

Leave a Reply