Fixes a registry vulnerability after several DApps that use the Connector library were compromised
Update (December 14, 2:45 PM UTC): This article has been updated to report that Ledger has fixed the issue.
The front end of several decentralized applications (DApps) using Ledger Connector, Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were hacked on December 14th. About three hours after the security breach was discovered, the Ledger reported a malicious version. The file was replaced with the original version around 1:35 PM UTC.
Ledger is warning users to “always clear the mark”, the addresses and the information presented on the mail screen are the only real information. “If there is a discrepancy between the screen displayed on your Ledger device and your computer/phone screen, stop the transaction immediately.”
SushiSwap's Chief Technical Officer Matthew Lilley was among the first to report the issue, and a commonly used Web3 connector was compromised, allowing malicious code to be injected into multiple DApps. An on-chain analyst verified the agreement where the Ledger library entered the address of the vulnerable code sewer.
Red alert
Do not connect to any dApps until further notice. A commonly used Web3 connector appears to be compromised, allowing the injection of malicious code affecting many dApps.
— I'm Software (@Matthew Lilly) December 14, 2023
Lilly blames Ledger for continued vulnerability and deals with multiple DApps. Executing Ledger's content delivery network was compromised, JavaScript was installed from the compromised network.
Ledger's @ledgerhq/connect-kit npm package seems to have been hacked, the latest publication was 2 hours ago. pic.twitter.com/AsbA675D9Q
– Fraud Fraudster | Web3 Anti-Scam (@realScamSniffer) December 14, 2023
Ledger connector is a library used by many DApps and maintained by Ledger. Added wallet drain, so withdrawing assets from a user account may not be automatic. However, requests from browser wallets such as MetaMask are visible and may give malicious actors access to the assets.
Lilly warned users to avoid any DApps using the Ledger connector, as “connect-kit” is also vulnerable, and said this was not a single attack, but a large-scale attack on multiple DApps.
The vulnerability in Ledger Connect Kit should now be resolved.
This appears to be an EVM-only exploit, but we can confirm that Phantom users on Dapps will see the correct warnings in our transaction preview for affected frontends.
— Phantom (@phantom) December 14, 2023
Hudson Jameson, vice president of Polygon Labs, said that even after Ledger fixes the bad code in the library, projects that use and deploy the library will need to update before it's safe to use DApps using Ledger's Web3 libraries.
It looks like $610k+ was spent
Drainer Client0x658729879fca881d9526480b82ae00efc54b5c2ddrainer Payment Address 0x412f10AAd96fD78da6736387e2C84931Ac20313f pic.twitter.com/NDo2
— ZachXBT (@zachxbt) December 14, 2023
Ido Ben Nathan, founder and CEO of Blockade, told Cointelegraph:
“Registration users are not at risk if they do not transact. Cannot be used on prior approvals. Revoke.cash is especially vulnerable, so don't interact with it. Funds affected are hundreds of thousands of dollars in the last two hours. Many websites are still affected, and users are getting hit.
Related: KyberSwap Hacker Claims Full Control over Kyber Company
Ledger acknowledged the vulnerability in its code and “removed the malicious version of the Ledger link kit,” adding that “a genuine version is now being pushed to replace the malicious file.”
We have identified and removed a malicious version of Ledger Connect Kit.
Now a genuine version is being pushed to replace the malicious file. Do not connect to any dApps for now. We will keep you updated as the situation improves.
Your recording device and…
— Ledger (@Ledger) December 14, 2023
Magazine: HTX Hacked Again for $30M, 100K Koreans Test CBDC, Binance 2.0: Asia Express