Decentralized applications pause Ledger Connect as exploit patch deployed
More decentralized applications (DApps) have temporarily disabled their front-end user interface for Ledger Connect amid a December 14 exploit.
Developers of the nonfungible token (NFT) platform announced on Dec. 14 that users “should not connect to any dApps using Ledger Connect until further notice.”
Meanwhile, decentralized finance (DeFi) protocol Lido Finance said “fronts are off as a precautionary measure while the Ledger connection issue is being investigated.”
Earlier in the day, the front ends of Zapper, SushiSwap, Phantom, Balance and Revoke.cash were compromised as part of the Ledger Connect exploit. Ledger says the exploit comes from a “malicious version of the Ledger Connect Kit.”
“A real version is now being pushed to replace the malicious file. Do not connect to any dApps for now. We will let you know when the situation improves.”
Initial reports indicate the attack wiped out at least $484,000 worth of digital assets. Tether, the issuer of the Tether (USDT) stablecoin, has since frozen the exploiter's address. According to Ledger developers, the “real version” of the Ledger Connect Kit is “now being deployed automatically. That means users are advised to wait 24 hours before using the kit again.
The exploit stems from a phishing attack on a former Ledger employee, which allowed hackers to access sensitive information. “We have filed a complaint to find the attacker and are working with law enforcement on the investigation,” the developers wrote. They spent approximately two hours during the disbursement and adjustment period.
Final timeline and update to customers:
4:49 pm CET:
Ledger Connect Kit real version 1.1.8 is now automatically distributed. We recommend that you wait 24 hours before using the Ledger Connect Kit again.
The investigation continues, here's the timeline we know…
— Ledger (@Ledger) December 14, 2023
RELATED: Fake Ledger Live App Infiltrates Microsoft App Store, $588K Stolen
